Re: [PATCH] audit: file system auditing based on location and name

To implement this feature we rely on the concepts of a "watch" and "watch list". Directories hold lists of "watches" (ie: "watch lists") that describe auditable file names one level beneath them. If a file holds a pointer into a "watch list" it is auditable. When accessed by a system call, information about the inode and its "watches" is added to the audit context of the current task (an inode may have multiple "watches" if a hard link to a "watched" file is itself being "watched") which is sent to user space upon system call exit.