Fwd: Re: Fw: Audit records for start/stop auditd
Stephen Smalley
sds at tycho.nsa.gov
Wed Apr 6 13:57:10 UTC 2005
On Wed, 2005-04-06 at 09:59 -0400, Steve Grubb wrote:
> Out of curiosity, what about the possibility of augmenting siginfo_t?
>
> siginfo_t {
> int si_signo; /* Signal number */
> int si_errno; /* An errno value */
> int si_code; /* Signal code */
> pid_t si_pid; /* Sending process ID */
> uid_t si_uid; /* Real user ID of sending process */
> int si_status; /* Exit value or signal */
> clock_t si_utime; /* User time consumed */
> clock_t si_stime; /* System time consumed */
> sigval_t si_value; /* Signal value */
> int si_int; /* POSIX.1b signal */
> void * si_ptr; /* POSIX.1b signal */
> void * si_addr; /* Memory location which caused fault */
> int si_band; /* Band event */
> int si_fd; /* File descriptor */
> uid_t si_luid /* Login uid */
> }
>
> This is actually the cleanest way for the audit daemon. No races, no hanging
> around waiting for a message that may never come.
Won't that break the kernel ABI?
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list