[patch] fix syscall speedup patch mips typo
Linda Knippers
linda.knippers at hp.com
Wed Mar 15 20:04:33 UTC 2006
Steve Grubb wrote:
> On Wednesday 15 March 2006 14:31, Linda Knippers wrote:
>> I don't understand why this record is a good idea.
>
> Because it gives you extra information to search on. Suppose you wanted to see
> any failed log messages for auid 501. Without the partial record, you won't
> have the information for ausearch to key on.
Considering all the information that's duplicated, it seems like a
pretty heavyweight way to get the auid, and going back to Jason's
original mail, this doesn't seem to be the reason it was added.
> Patch is below. The idea behind this patch is based on a suggestion from
> Steve Grubb to not call 'audit_syscall_entry' and 'audit_syscall_exit' if
> there are no audit rules loaded. This is problematic for the case where
> audit_log() is called in the middle of a system call (since we don't have
> the entry parameters). We address this issue by creating a partial system
> call record for this case, which contains the system call data that is
> available at exit time.
I can understand wanting to optimize the code when there are no audit
rules (although one could optimize it by disabling audit) but the fact
that it created a problem for which the partial record is a solution
makes me question the approach.
-- ljk
More information about the Linux-audit
mailing list