VFS hooks analysis (pass 1)
Amy Griffis
amy.griffis at hp.com
Mon Sep 12 21:18:31 UTC 2005
On Tue, Aug 30, 2005 at 04:36:25PM -0400, Amy Griffis wrote:
> > Here's my thinking. It'd be nice to have a complete set of Inotify hooks
> > that map to specific Inotify events (IN_*). Thus, even though the above
> > syscalls may be sufficiently covered by the hook placements in the
> > getname() and path_lookup() functions, I think we should split them out
> > into seperate Inotify hooks.
>
> Thanks for the input, Tim. I'll look into this.
I've realized a problem with replacing getname and path_lookup with
Inotify hooks. With Inotify, you have to register for the desired
events on a specific file. The getname and path_lookup hooks apply
universally. So if we removed them, we would no longer gather any
filesystem info (other than pathname from syscall arg) unless there
was a filter/watch specified.
I'm not sure this would be the desired behavior. It works for
filtering, but not for providing a complete log record in the general
case.
Amy
More information about the Linux-audit
mailing list