moving audit_free() up into do_exit()
Alexander Viro
aviro at redhat.com
Wed Mar 29 22:03:58 UTC 2006
If we want to get full information on syscalls that kill the caller
(exit, exit_group, anything oopsing), we really ought to move audit_free()
into do_exit(), just before the exit_mm() call there.
Impact: we'll generate records for such syscall when it's called
(and gets to the point of no return), not when the resulting zombie gets
reaped. If anyone has objections to that, yell _NOW_.
What we get is, among other things, accurate tty=, exe= and subj=
in such records. We also get much simpler locking, since now _all_
access to ->audit_context is done by process itself in a process-synchronous
context. We don't have to bother with atomic allocations on that path
either.
NOTE: it does change the moment when record is generated and if
something in userland depends on having it postponed until the time when
zombie gets reaped, we will have to change such userland code. I doubt
we have any such place, but that definitely needs an ACK from userland
side of things.
More information about the Linux-audit
mailing list