key in syscall audit rules.
Timothy R. Chavez
tinytim at us.ibm.com
Wed May 18 18:08:50 UTC 2005
On Wednesday 18 May 2005 11:01, David Woodhouse wrote:
> On Wed, 2005-05-18 at 10:28 -0500, Timothy R. Chavez wrote:
> > Well "9" (or rather a 32b/64b hash) could map to something in a userland
> > table of sorts which would produce "attempted-shadow-write" before it got
> > to the log. There's most definitely a space savings here and we
> > shouldn't be so free to use kernel memory as we do user memory, but is it
> > really worth all the extra complexity to try to decipher the meaning of
> > "9" in userland? IMHO, no. *shrug*
>
> Agreed. Can you change the auditfs patch to use numeric keys in the next
> incarnation, please? This kind of thing really doesn't live in the
> kernel.
I think we should hold off for the time being and put it as a "TODO" as it
will require work in both the kernel and the userland package to convert over
and change the offsets and what not. Something I can do later this
week/weekend perhaps. Is that OK? I just want to get out an update that
fixes (once I figure it out) the problem with some watch records not
appearing and the alterations needed to list watches without sleeping between
the rcu_read locks first. This is most needed by the testers here.
-tim
More information about the Linux-audit
mailing list