[RFC][PATCH] (#6 U1) the latest incarnation
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 25 14:54:25 UTC 2005
On Fri, 2005-03-25 at 14:54 +0000, David Woodhouse wrote:
> All things being equal, I think I'd rather see the information added to
> the audit_context and then dumped with everything else on syscall exit.
> When doing the IPC patch I deliberately made the 'aux' list generic
> enough that it could be used for this kind of thing.
>
> But are there reasons why it's hard to do that here? Do we need to
> report information in contexts where we can't allocate memory (or at
> least can't deal with failure to do so)?
I don't think so; I think all callers of audit_notify_watch() can sleep
at the point of the call (unlike callers of audit_attach_watch, which
must not sleep, but that only attaches watches; it doesn't do any audit
generation). Now for SELinux avc_audit, that would be an issue, because
it cannot perform blocking allocation or otherwise deal with failures.
--
Stephen Smalley <sds at tycho.nsa.gov>
National Security Agency
More information about the Linux-audit
mailing list