[RFC][PATCH] (#2) Prelim in-kernel file system auditing support

Timothy R. Chavez chavezt at gmail.com
Thu Jan 27 19:04:35 UTC 2005


On Thu, 27 Jan 2005 12:44:51 -0600, Timothy R. Chavez <chavezt at gmail.com> wrote:
> > Very minor nit:  Define a static inline for audit_inode_alloc() and use
> > it in alloc_inode(), and eliminate the #ifdef's there (and in
> > destroy_inode).  You can just define them to the empty function in your
> > header file if the config option isn't set.  Also, static inlines are
> > preferred to macros because they apply type checking even when the
> > option is disabled.  Documentation/SubmittingPatches, Section 2.
> >
> 
> Stephen,
> 
> I personally think this is a better way of doing it.  I'll make the
> change barring any objections from Chris, David, or Serge.  The
> audit_inode_alloc() will only allocate space for an inode its
> associated with a "watched" location.
> 
> > --
> > Stephen Smalley <sds at epoch.ncsc.mil>
> > National Security Agency
> >

Then again, now that I think about this a little more...  This won't
work.  With only the inode, I'll have to automatically allocate space
for i_audit regardless of whether or not its being watched.  There's
no way, at this level (and time), to infer whether or not the inode is
associated with a "watched" location.  Is this acceptable?  To
allocate every inode->i_audit if filesystem auditing is enabled? 
Currently, we're at 28 bytes of data (1 pointer (4 bytes), 1 rw_lock
(8 bytes?), and 2 list_heads (16 bytes?).  I suppose if I allocate
every inode though, I can reduce the size of audit_data by 1 list_head
because I can get rid of the list that uses it.  By doing blanket
allocations it does reduce the complexity some of the code, currently.

> >
> 
> 
> --
> - Timothy R. Chavez
> 


-- 
- Timothy R. Chavez




More information about the Linux-audit mailing list