Re: [RFC][PATCH] (#6) filesystem auditing
On Tue, 2005-03-15 at 15:48 -0500, Stephen Smalley wrote:
Hmmm...how is this supposed to work? audit_log_exit() isn't
called
unless context->auditable is set. Should audit_notify_watch() be
setting context->auditable when adding a file to the wtrail so that it
will be processed upon syscall exit? Otherwise, you need some other
filter to enable the auditable flag separate from your watch, right?
Note btw that since SELinux does immediate generation of audit messages
via audit_log* from its hooks, this automatically enables the auditable
flag (since audit_log_start calls audit_get_stamp, and audit_get_stamp
enables the auditable flag). That is why further audit records are
written at syscall exit whenever SELinux emits an audit message from a
hook. But in your case, as you are just adding data to a list from your
hook, you need to separately enable the auditable flag in some manner.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency