[RFC][PATCH] (#6 U1) the latest incarnation
David Woodhouse
dwmw2 at infradead.org
Fri Mar 25 14:54:45 UTC 2005
On Thu, 2005-03-24 at 11:28 -0500, Stephen Smalley wrote:
> Both approaches ensure that an audit record is emitted whenever an
> auditable inode is encountered, but the present approach yields two
> separate audit records (one immediate from your hook and one upon
> syscall exit) vs. a single unified record. What do we want? What do
> others think?
All things being equal, I think I'd rather see the information added to
the audit_context and then dumped with everything else on syscall exit.
When doing the IPC patch I deliberately made the 'aux' list generic
enough that it could be used for this kind of thing.
But are there reasons why it's hard to do that here? Do we need to
report information in contexts where we can't allocate memory (or at
least can't deal with failure to do so)?
--
dwmw2
More information about the Linux-audit
mailing list