[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs



On Tue, 2004-12-14 at 15:50, Serge E. Hallyn wrote:
> Why can't you store the info in the current->audit record until syscall
> exit, and only send a message to userspace if the syscall exit says to
> do so?

Another point to keep in mind is that you ultimately want to instrument
other subsystems in the same manner as the filesystem code to capture
relevant information copied by the kernel from userspace pointers (e.g.
socket addresses), and I doubt you want to keep adding all of this
object identification information into the current audit context (and
there can be mixing, e.g Unix domain socket interplay with the
filesystem, so you might need object identification information for
multiple kinds of objects on a single syscall).

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]