Re: [PATCH] audit: log on the future execution of a path

On Mon, 2014-05-05 at 17:10 -0400, Steve Grubb wrote: > On Mon, 5 May 2014 16:41:53 -0400 > Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > > > Only problem is, it doesn't work. What assumptions am I making > > that aren't valid about the approach in this kernel code? > > > > I also considered adding the path string pointer to the struct > > audit_field. > > > > Any suggestions? > > What I was thinking about is that it should work a lot like a watch > for We agree up to this point. > execution except when the watch triggers, it actually fills in a pid > field for a syscall rule and loads it instead of emitting an event. And now we disagree.