best way to audit in vfs

[Stephen Smalley]

On Tue, 2004-12-14 at 16:22, Stephen Smalley wrote:
> Yes, but why can't you make the full determination in your hook
> function?  At the point of the hook function, you know:
> - the current process information,
> - the object information,
> - the call site.
> 
> It is possible that you have some complex audit configuration in mind
> that requires tying together information from multiple hooks in order to
> determine whether or not to audit the operation, but I'm not sure
> whether that is necessary.

On the other hand, it may be that by simply saving the object identity
information on a list in the current audit_context and deferring
determination to the syscall exit code, you can reduce the number of
audit hooks within the VFS, e.g. just hook permission(9) rather than the
individual vfs_* functions.
 
-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency