Audit issue
Steve Grubb
sgrubb at redhat.com
Thu Nov 8 14:47:40 UTC 2007
On Thursday 08 November 2007 09:32:18 Alexander Viro wrote:
> > Thanks for posting this patch. Is it impossible to "repair " processes by
> > simply adding a context if the pointer is NULL?
>
> At which point would you do that?
Possibly on syscall exit? Shouldn't the kernel have released all locks by that
point? And what about syscall entry...isn't that before any locking starts to
occur?
> I'd rather not try to play with locking, etc., when we set audit_enabled to
> non-zero...
Sure.
> Especially when there's a trivially non-intrusive patch.
True, but I'm thinking this will cause performance to go down if the audit
system was ever enabled. It doesn't look as bad as the audit system actually
being on, but it may be doing unnecessary allocations I think.
-Steve
More information about the Linux-audit
mailing list