[RFC] upstreaming audit filesystem pieces
Chris Wright
chrisw at osdl.org
Tue Aug 23 20:49:14 UTC 2005
* Amy Griffis (amy.griffis at hp.com) wrote:
> Suggested Approach
> ------------------
> The plan proposed several weeks ago was to write a general filesystem
> event notification component for the kernel, based on the current
> auditfs patch. I think this is a mistake for several reasons.
I agree, inofity is already there, and makes sense as basis moving
forward.
<snip>
> In order for audit to use Inotify, Inotify would need to provide:
>
> - An Inotify kernel API.
>
> - A pointer to the relevant inode struct when a filesystem event
> occurs.
>
> - The ability to begin watching a file at the moment of creation.
> Currently audit is pre-notified, via dcache hooks, when a file is
> created, moved, or deleted. This allows audit to enable or disable
> a watch on the appropriate inode. Audit would need a similar
> pre-notification, or preferably the ability to add (and possibly
> remove) watches from an Inotify event callback.
Inotify has a couple new dcache hooks, (iirc it's for delete), did you
look at those yet?
More information about the Linux-audit
mailing list