[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs



On Tue, 2004-12-14 at 15:50, Serge E. Hallyn wrote:
> Why can't you store the info in the current->audit record until syscall
> exit, and only send a message to userspace if the syscall exit says to
> do so?

A single syscall might trigger auditing on multiple objects, e.g.
multi-component pathname lookup where multiple components are flagged
for auditing.  The audit framework was designed to allow immediate
generation of partial audit records during syscall processing that would
then enable generation of a final audit record at syscall exit, with the
ability to tie them all together via the (timestamp, serial) tuples in
userspace.  That is how SELinux works with the audit subsystem; SELinux
immediately generates an audit message as appropriate from its hooks,
and this triggers generation of a final audit record for the syscall
upon exit, so you might have multiple SELinux audit messages followed by
the syscall exit one.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]