[PATCH] (1/2) new audit filter allows excluding messages by type (kernel)

[David Woodhouse]

On Tue, 2005-11-01 at 16:53 -0600, Dustin Kirkland wrote:
> Kernel patch is pretty simple, straightforward...

Technically fine, but lacks justification for doing this in the kernel.
The kernel should do preliminary filtering _only_ to the extent that it
really needs to do so, to keep the volume of messages sent up to
userspace to an appropriate level.

It's clear that we need to do a first-pass at throwing away unneeded
syscall audit records, because otherwise the system would grind to a
halt as we shove a report for _every_ syscall up the pipe to auditd.

But it's not clear that this filtering is of the same nature -- can you
explain the anticipated use case and show why it's necessary to add this
particular filter to the _kernel_ instead of doing it in userspace?

-- 
dwmw2