[RFC][PATCH 2/2] file system auditing (#6U3)
Timothy R. Chavez
tinytim at us.ibm.com
Tue Apr 5 22:51:51 UTC 2005
On Tuesday 05 April 2005 05:30 pm, David Woodhouse wrote:
> On Mon, 2005-04-04 at 10:38 -0500, Timothy R. Chavez wrote:
> > diff -Nurp linux-2.6.11.5/include/linux/fs.h
> > linux-2.6.11.5~auditfs/include/linux/fs.h ---
> > linux-2.6.11.5/include/linux/fs.h 2005-03-19 00:34:53.000000000 -0600
> > +++ linux-2.6.11.5~auditfs/include/linux/fs.h 2005-03-31
> > 11:38:03.000000000 -0600 @@ -477,6 +477,7 @@ struct inode {
> > unsigned int i_flags;
> >
> > atomic_t i_writecount;
> > + struct audit_data *i_audit;
> > void *i_security;
> > union {
> > void *generic_ip;
Aye, you're right.
>
> This bit should probably have been included in the first patch. And I
> wonder if we could in fact do without it altogether -- do we really need
> to grow the inode structure for this? Relatively few inodes will have
> i_audit populated -- could we keep the audit_data in a hash table, and
> just use a _flag_ in the inode to indicate that there are audit_data in
> the hash table for this inode?
Haha. Your timing is impeccable :)
-tim
>
> I believe that there is already an implementation of such a hash table
> floating around, because it was once suggested for the i_security field.
> Serge, do you have one?
More information about the Linux-audit
mailing list