[RFC][PATCH 3/3] (#7U1) file system auditing
Timothy R. Chavez
tinytim at us.ibm.com
Sat Apr 23 01:04:52 UTC 2005
On Friday 22 April 2005 15:51, Steve Grubb wrote:
> On Friday 22 April 2005 20:35, Timothy R. Chavez wrote:
> > add a "delete all watches" feature in the user space tool (I
> > think this is better done in the kernel, but...) -- what does everyone
> > think?
>
> Assuming I can get the watch list like syscall auditing, it can be done
> from user space. I'd like to keep some symmetry between syscall auditing
> and filesystem auditing. If you add a kernel function to do this for
> filesystem, there ought to be a function for syscall.
I think for symmetry's sake, that makes sense. But doing a "delete all" in
the kernel has these advantages:
1. All watches can be deleted. This might not be true in user space. If the
path is invalid (ie: a namespace has changed or the path has become otherwise
inaccessible), you won't be able to delete the watch.
2. One call into the kernel to traverse one linked list to delete all watches
is faster then requesting a list (which sends one watch at a time AFTER it's
been walked to determine whether its valid or not with respect to name space
and mount points), saving them in user space, then having to send back into
the kernel a request to delete it, all across netlink.
3. Hinted at in #2. I'm thinking that because you can't delete watches
during a list traversal (because the list is locked), you'll have to store
information about each watch in the user space. Seems extra complex and
unreliable (especially in an SMP environment).
Just my .03 cents
-tim
> -Steve
More information about the Linux-audit
mailing list