Re: Getting the program name in audit messages
On Fri, 2005-04-01 at 14:36 +0100, David Woodhouse wrote:
Setting the auditable flag is only going to cause audit_log_exit() to
be
called on syscall exit _if_ audit_syscall_exit() is actually called.
That's often in the slow path of the syscall return, and triggered only
if something like TIF_SYSCALL_AUDIT is set in the thread_info flags.
Ok, if you think that this is a real concern, and given that syscall
auditing is presently disabled by default (requires explicit audit=1
kernel boot parameter or auditctl -e 1 to enable), possibly we should
drop the patch to avc_audit for now while still adding it to
audit_log_exit. However, eventually I'd like to revisit the issue.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency