watch structure
Steve Grubb
sgrubb at redhat.com
Mon Apr 4 21:50:31 UTC 2005
On Monday 04 April 2005 17:36, Timothy R. Chavez wrote:
> However, I do not plan on passing them to and from the kernel as structures,
> but as a serialized strings.
Its in the kernel as pieces, why not just fill in the structure and send it to
user space? That has to be simpler to code (3 assignments & 2 strcpy's). Why
invent yet another way to pass data?
> Also, I wouldn't recommend wasting so much space by statically allocating
> 4096 (or whatever MAX_PATH happens to be) for each name... considering any
> file we're interested in auditing is unlikely to be MAX_PATH or even close
> to MAX_PATH. Space is more valuable in the kernel, both on the stack and
> in memory, then it is in user space.
Right, but this is just for transit. Once inside the kernel it can be put into
a memory area that is as long as strlen - which is what's done currently.
> And the memory should already be copied into the kernel by the time the
> process ends.
What guarantees that? netlink receive is asynchronous.
-Steve
More information about the Linux-audit
mailing list