Re: watch structure
On Monday 04 April 2005 04:50 pm, Steve Grubb wrote:
<snip>
> Also, I wouldn't recommend wasting so much space by statically allocating
> 4096 (or whatever MAX_PATH happens to be) for each name... considering
> any file we're interested in auditing is unlikely to be MAX_PATH or even
> close to MAX_PATH. Space is more valuable in the kernel, both on the
> stack and in memory, then it is in user space.
Right, but this is just for transit. Once inside the kernel it can be put
into a memory area that is as long as strlen - which is what's done
currently.
Sure, this would require two seperate structures. I'll do this.
> And the memory should already be copied into the kernel by the time the
> process ends.
What guarantees that? netlink receive is asynchronous.
I suppose we should be waiting for a reply from the kernel. Anyway, if we
want to go the static structure approach, that's fine. I'll work on that
this week and we'll discuss the list feature a little more too.
-tim
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit