[PATCH] audit: file system auditing based on location and name
Arjan van de Ven
arjan at infradead.org
Thu Jul 7 06:40:13 UTC 2005
>
> Some notable implementation details are as follows:
>
> * struct inode is _not_ extended to associate audit data with the
> inode. A hash table is used in which the inode is hashed to
> retrieve its audit data. We know if an inode has audit data
> if I_AUDIT has been turned on in inode->i_state.
why is this? It would be a very logical thing to store this stuff inside
the inode. It sounds like a bad design to keep per inode data out of the
inode. (if you're concerned about taking a lot of space, put a pointer
to a kmalloc()'d piece of memory into the inode instead). A hash is
just, well, odd for this.
> * Inodes with audit data are implicitly pinned in memory when
> I_AUDIT is turned on in inode->i_state. This prevents an
> auditable incore inode from being pushed out of the icache,
> preserving auditability even under memory pressures.
sounds like inotify then...
More information about the Linux-audit
mailing list