Getting the program name in audit messages
Stephen Smalley
sds at tycho.nsa.gov
Fri Apr 1 14:34:54 UTC 2005
On Fri, 2005-04-01 at 14:36 +0100, David Woodhouse wrote:
> Setting the auditable flag is only going to cause audit_log_exit() to be
> called on syscall exit _if_ audit_syscall_exit() is actually called.
>
> That's often in the slow path of the syscall return, and triggered only
> if something like TIF_SYSCALL_AUDIT is set in the thread_info flags.
Ok, if you think that this is a real concern, and given that syscall
auditing is presently disabled by default (requires explicit audit=1
kernel boot parameter or auditctl -e 1 to enable), possibly we should
drop the patch to avc_audit for now while still adding it to
audit_log_exit. However, eventually I'd like to revisit the issue.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list