[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: best way to audit in vfs

On Tue, 2004-12-14 at 15:42 -0600, Serge E. Hallyn wrote:
> No, I think we all agree that anything much more complicated should be done
> in userspace.  The only real reason to care about doing some in kernel space,
> I think, is to minimize wasted kernel->auditd traffic.

Caveat: I don't recommend asking userspace to grab the full path name
from inode information supplied by the kernel, as has been suggested in
the past. Although this shifts the burden of processing in the right
direction (ie: to user-space), by the time the inode info gets there,
the file might have already gone.

UID/GID -> User/Group Name has similar issues I guess, but much harder
to cover (as the kernel generally doesn't have visibility of user

Leigh Purdie, Director - InterSect Alliance Pty Ltd

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]