[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [patch] fix syscall speedup patch mips typo



Steve Grubb wrote:
On Wednesday 15 March 2006 14:31, Linda Knippers wrote:
I don't understand why this record is a good idea.

Because it gives you extra information to search on. Suppose you wanted to see any failed log messages for auid 501. Without the partial record, you won't have the information for ausearch to key on.

Considering all the information that's duplicated, it seems like a
pretty heavyweight way to get the auid, and going back to Jason's
original mail, this doesn't seem to be the reason it was added.

Patch is below. The idea behind this patch is based on a suggestion from Steve Grubb to not call 'audit_syscall_entry' and 'audit_syscall_exit' if there are no audit rules loaded. This is problematic for the case where audit_log() is called in the middle of a system call (since we don't have the entry parameters). We address this issue by creating a partial system call record for this case, which contains the system call data that is available at exit time.

I can understand wanting to optimize the code when there are no audit
rules (although one could optimize it by disabling audit) but the fact
that it created a problem for which the partial record is a solution
makes me question the approach.

-- ljk


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]