Re: .56 kernel FS_WATCH records
On Tuesday 07 June 2005 13:15, Loulwa Salem wrote:
Steve Grubb wrote:
> Hi,
>
> Testing with the .56 kernel. I did a watch on a file and then did a move:
... snip ...
> Why does FS_WATCH have 2 formats? Both are the same type and have totally
> different name/value pairs. This messes up parsing. If they represent 2
> different pieces of information, they have to have 2 different message types.
>
> Besides, why are they split like this? They weren't like this last week. This
> introduces another 46 byte overhead to diskspace consumption for each record.
>
> Also, in the path record, it is a file - not a dir. The permissions are wrong
> as well. sb 0644.
>
> -Steve
>
I definitely agree with Steve ... having two different FS_WATCH records
will also break our parsing mechanism.
I think from a test perspective, I would prefer concatenating the
records the way they were before rather than creating another type.
Having a different type will also cause a headache in our parse and
verify functions.
Well they can change to whatever they need to be. I was just trying to
illustrate watches per inode per record... if someone proposes a better
format we'll go ahead and patch that. Preferably Loulwa since this is
most sensitive to her.
-tim
- Loulwa
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit