Re: [RFC][PATCH] (#2) Prelim in-kernel file system auditing support
On Thu, 27 Jan 2005 12:44:51 -0600, Timothy R. Chavez <chavezt(a)gmail.com> wrote:
> Very minor nit: Define a static inline for audit_inode_alloc()
and use
> it in alloc_inode(), and eliminate the #ifdef's there (and in
> destroy_inode). You can just define them to the empty function in your
> header file if the config option isn't set. Also, static inlines are
> preferred to macros because they apply type checking even when the
> option is disabled. Documentation/SubmittingPatches, Section 2.
>
Stephen,
I personally think this is a better way of doing it. I'll make the
change barring any objections from Chris, David, or Serge. The
audit_inode_alloc() will only allocate space for an inode its
associated with a "watched" location.
> --
> Stephen Smalley <sds(a)epoch.ncsc.mil>
> National Security Agency
>
Then again, now that I think about this a little more... This won't
work. With only the inode, I'll have to automatically allocate space
for i_audit regardless of whether or not its being watched. There's
no way, at this level (and time), to infer whether or not the inode is
associated with a "watched" location. Is this acceptable? To
allocate every inode->i_audit if filesystem auditing is enabled?
Currently, we're at 28 bytes of data (1 pointer (4 bytes), 1 rw_lock
(8 bytes?), and 2 list_heads (16 bytes?). I suppose if I allocate
every inode though, I can reduce the size of audit_data by 1 list_head
because I can get rid of the list that uses it. By doing blanket
allocations it does reduce the complexity some of the code, currently.
>
--
- Timothy R. Chavez
--
- Timothy R. Chavez