Re: best way to audit in vfs
On Tue, 2004-12-14 at 16:33, Timothy R. Chavez wrote:
Well my original message I think was hinting at doing it this way?
But to do it effectively with only one hook, you'd need one exit
point, right?
No. You just need to:
1) have your hook function decide whether auditing is required,
2) if so, have it emit a partial audit record with information not
available at syscall exit,
3) this will automatically enable auditing upon syscall exit
And your audit hook can be called very early, as soon as you have the
object available.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency