[RFC][PATCH] (#2) Prelim in-kernel file system auditing support
Timothy R. Chavez
chavezt at gmail.com
Thu Jan 27 19:04:35 UTC 2005
On Thu, 27 Jan 2005 12:44:51 -0600, Timothy R. Chavez <chavezt at gmail.com> wrote:
> > Very minor nit: Define a static inline for audit_inode_alloc() and use
> > it in alloc_inode(), and eliminate the #ifdef's there (and in
> > destroy_inode). You can just define them to the empty function in your
> > header file if the config option isn't set. Also, static inlines are
> > preferred to macros because they apply type checking even when the
> > option is disabled. Documentation/SubmittingPatches, Section 2.
> >
>
> Stephen,
>
> I personally think this is a better way of doing it. I'll make the
> change barring any objections from Chris, David, or Serge. The
> audit_inode_alloc() will only allocate space for an inode its
> associated with a "watched" location.
>
> > --
> > Stephen Smalley <sds at epoch.ncsc.mil>
> > National Security Agency
> >
Then again, now that I think about this a little more... This won't
work. With only the inode, I'll have to automatically allocate space
for i_audit regardless of whether or not its being watched. There's
no way, at this level (and time), to infer whether or not the inode is
associated with a "watched" location. Is this acceptable? To
allocate every inode->i_audit if filesystem auditing is enabled?
Currently, we're at 28 bytes of data (1 pointer (4 bytes), 1 rw_lock
(8 bytes?), and 2 list_heads (16 bytes?). I suppose if I allocate
every inode though, I can reduce the size of audit_data by 1 list_head
because I can get rid of the list that uses it. By doing blanket
allocations it does reduce the complexity some of the code, currently.
> >
>
>
> --
> - Timothy R. Chavez
>
--
- Timothy R. Chavez
More information about the Linux-audit
mailing list