Re: [RFC][PATCH] (#6 U1) the latest incarnation
On Thu, 2005-03-24 at 11:28 -0500, Stephen Smalley wrote:
Both approaches ensure that an audit record is emitted whenever an
auditable inode is encountered, but the present approach yields two
separate audit records (one immediate from your hook and one upon
syscall exit) vs. a single unified record. What do we want? What do
others think?
All things being equal, I think I'd rather see the information added to
the audit_context and then dumped with everything else on syscall exit.
When doing the IPC patch I deliberately made the 'aux' list generic
enough that it could be used for this kind of thing.
But are there reasons why it's hard to do that here? Do we need to
report information in contexts where we can't allocate memory (or at
least can't deal with failure to do so)?
--
dwmw2