[RFC][PATCH 2/2] file system auditing (#6U3)
David Woodhouse
dwmw2 at infradead.org
Tue Apr 5 22:30:03 UTC 2005
On Mon, 2005-04-04 at 10:38 -0500, Timothy R. Chavez wrote:
> diff -Nurp linux-2.6.11.5/include/linux/fs.h linux-2.6.11.5~auditfs/include/linux/fs.h
> --- linux-2.6.11.5/include/linux/fs.h 2005-03-19 00:34:53.000000000 -0600
> +++ linux-2.6.11.5~auditfs/include/linux/fs.h 2005-03-31 11:38:03.000000000 -0600
> @@ -477,6 +477,7 @@ struct inode {
> unsigned int i_flags;
>
> atomic_t i_writecount;
> + struct audit_data *i_audit;
> void *i_security;
> union {
> void *generic_ip;
This bit should probably have been included in the first patch. And I
wonder if we could in fact do without it altogether -- do we really need
to grow the inode structure for this? Relatively few inodes will have
i_audit populated -- could we keep the audit_data in a hash table, and
just use a _flag_ in the inode to indicate that there are audit_data in
the hash table for this inode?
I believe that there is already an implementation of such a hash table
floating around, because it was once suggested for the i_security field.
Serge, do you have one?
--
dwmw2
More information about the Linux-audit
mailing list