VFS hooks analysis (pass 1)
Amy Griffis
amy.griffis at hp.com
Tue Aug 30 20:36:25 UTC 2005
On Mon, Aug 29, 2005 at 05:12:01PM -0500, Timothy R. Chavez wrote:
> On Friday 26 August 2005 17:13, Amy Griffis wrote:
<snip>
> > The upstream audit code uses getname() and path_lookup() hooks to
> > collect object identity information during syscall processing. This
> > is sufficient for the following syscalls:
> >
> > sys_access
> > sys_chdir
> > sys_chmod
> > sys_chown
> > sys_execve
> > sys_lchown
> > sys_link
> > sys_lremovexattr
> > sys_lsetxattr
> > sys_removexattr
> > sys_setxattr
> > sys_swapon
> > sys_truncate
> > sys_utime(s)
> >
>
> Here's my thinking. It'd be nice to have a complete set of Inotify hooks
> that map to specific Inotify events (IN_*). Thus, even though the above
> syscalls may be sufficiently covered by the hook placements in the
> getname() and path_lookup() functions, I think we should split them out
> into seperate Inotify hooks.
Thanks for the input, Tim. I'll look into this.
More information about the Linux-audit
mailing list