[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] (#6 U1) the latest incarnation



On Thu, 2005-03-24 at 11:28 -0500, Stephen Smalley wrote:
> Both approaches ensure that an audit record is emitted whenever an
> auditable inode is encountered, but the present approach yields two
> separate audit records (one immediate from your hook and one upon
> syscall exit) vs. a single unified record.  What do we want?  What do
> others think?

All things being equal, I think I'd rather see the information added to
the audit_context and then dumped with everything else on syscall exit. 
When doing the IPC patch I deliberately made the 'aux' list generic
enough that it could be used for this kind of thing.

But are there reasons why it's hard to do that here? Do we need to
report information in contexts where we can't allocate memory (or at
least can't deal with failure to do so)?

-- 
dwmw2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]