[RFC] upstreaming audit filesystem pieces

[Chris Wright]

* Amy Griffis (amy.griffis at hp.com) wrote:
> Suggested Approach
> ------------------
> The plan proposed several weeks ago was to write a general filesystem
> event notification component for the kernel, based on the current
> auditfs patch.  I think this is a mistake for several reasons.  

I agree, inofity is already there, and makes sense as basis moving
forward.

<snip>
> In order for audit to use Inotify, Inotify would need to provide:
> 
> - An Inotify kernel API.
> 
> - A pointer to the relevant inode struct when a filesystem event
>   occurs.
> 
> - The ability to begin watching a file at the moment of creation.
>   Currently audit is pre-notified, via dcache hooks, when a file is
>   created, moved, or deleted.  This allows audit to enable or disable
>   a watch on the appropriate inode.  Audit would need a similar
>   pre-notification, or preferably the ability to add (and possibly
>   remove) watches from an Inotify event callback.

Inotify has a couple new dcache hooks, (iirc it's for delete), did you
look at those yet?