[RFC][PATCH] (#6 U1) the latest incarnation

Timothy R. Chavez tinytim at us.ibm.com
Thu Mar 24 16:03:28 UTC 2005 

On Thursday 24 March 2005 09:26 am, Stephen Smalley wrote:
>
> Rationale?  At least for me, the development process for this patch is
> too opaque. I see changes from version to version (particularly with
> respect to hooks and hook placement) with no explanation of the
> reasoning, which makes it hard to assess the real impact.  I think we
> need a clear stated justification as to what each hook is achieving for
> your higher level goals.  Note btw that it is looking like we actually
> need another security hook in the fs code to deal with the file creation
> issue, so d_instantiate/d_splice_alias might not be sufficient for you
> either.
>
> As I mentioned earlier, I think you need a very clearly stated
> description of your high level goals and requirements to include in your
> submission on linux-fsdevel and lkml, because they will need to
> understand those goals in order to assess whether your implementation is
> sound and to tell you the right way to implement that desired
> functionality if they think your implementation isn't sound.  You want
> to be careful about not confusing design/implementation with
> goals/requirements.

This was sobering and reasonable.  Thank you.  I will definately work on this.

> >  Also, I've done quite a bit with the locking. Now, [admittedly] I'm a
> > novice, so the reader-writer locking stradegy I've used is probably
> > not the best for performance -- especially since I've hooked
> > __d_lookup() and will hit a write_lock() when I enter
> > audit_attach_watch() (formly called audit_watch()).
>
> Did you test with a SMP kernel?  Locked up immediately for me on boot,
> right after displaying the Mount-cache hash table entries stats
> (mnt_init).

No testing on SMP as of right now, I'll get right on this right now.  I have a 
couple of minor fix-ups too (changed the description in init/Kconfig and 
repositioned the exec_permission_lite() hook because if 
exec_permission_lite() returns -EAGAIN, we'll get a record there and in 
permission())

<snip>

Thanks again.

-tim

More information about the Linux-audit mailing list