splinter work on generic fs notification framework
Timothy R. Chavez
tinytim at us.ibm.com
Tue Jul 12 19:18:20 UTC 2005
Hi,
I've CCed some folks that I thought might be interested in this update and may
not be on linux-audit.
Based on recent discussion on LKML and some IRC conversations, a generic file
system notification framework is being written to merge common functionality
between the "auditfs" component of the audit framework and Inotify. This
framework will be mostly comprised of the watch logic implemented by the
"auditfs" component (I_AUDIT, hash table, update hook, helper functions, etc)
and the fsnotify hooks written by Robert Love. User's of this framework will
pass their own callback functions in when adding a watch via this framework
which will effectively be stored on the watch and called from the watch hook
that discovers it.
We introduce fs/watch.c and include/linux/watch.h
Some of the oustanding issues:
o The fsnotify hooks will need to be expanded to cover more of the file system
to fufill CAPP's needs.
o The way we did "movement" notifications is different how Inotify did them.
The trick is to do it such that its mutually beneficial.
o The interface for adding and removing watches should be the same for every
user. I think that the audit_receive_watch|audit_insert/remove_watch bit was
quite slopply done *pats self on back*, so I think this gives me a chance to
redeem myself and make something functional and slightly more sexy.
o Filtering. Should the MAY_* stuff be scrapped... How important is it? I
think it's a bit sloppy and contrived too. It's a fine concept. We'd
ideally like to mitigate throughput where possible, but I think the
'ausearch' tool should work fine for looking only and what's "interesting"
and the netlink speed-up coupled with the backlogs work should help buffer
any impact introduced by the extra records. Opinions?
o I'd like to place an extra field in the record that tells you exactly what
type of action it was... trying to deduce from system call is a bit...
cumbersome... might be nice to have in the log, "action=MODIFIED" or
something.
Feel free to add something..
I'm sure I'm forgetting some things, but I really should get back to work :)
Anyway... it's a start
-tim
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-2.6-tc-watch.patch
Type: text/x-diff
Size: 56195 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050712/7f5afe37/attachment.bin>
More information about the Linux-audit
mailing list