Re: auditctl task ignores -S flag

On Mon, 2005-01-17 at 14:44 -0600, Debora Velarde wrote:
The 'task' rule list is used only at the time a task is created -- when
fork() or clone() is called by the parent task. Thus, the syscall mask
is not relevant -- only characteristics of the task which can be seen at
the time it is started, such as the uid, gid, etc., are relevant.

The three possible results of the task-creation rule list are as

	AUDIT_NEVER: Do not allocate an audit context for the new task.
		No syscall-specific audit records can be generated.

	AUDIT_POSSIBLE: Allocate an audit context for the new task, and
		always fill it in at syscall entry time. This makes a
		full syscall record available if some other part of the
		kernel decides it should be recorded.

	AUDIT_ALWAYS: Allocate an audit context, always fill it in at
		syscall entry time, and always write out a record at
		syscall exit time.

The -F flag will work for certain fields but not all. I agree that
auditctl should not accept the -S flag for a 'per-task' rule, and it
shouldn't accept the -F flag with a field numerically greater than
AUDIT_PERS either.


