On Thu, 2006-12-14 at 16:07 -0800, Matt Helsley wrote: > plain text document attachment (task-watchers-v2) > Associate function calls with significant events in a task's lifetime much > like > we handle kernel and module init/exit functions. This creates a table for each > of the following events in the task_watchers_table ELF section: > > WATCH_TASK_INIT at the beginning of a fork/clone system call when the > new task struct first becomes available. > > WATCH_TASK_CLONE just before returning successfully from a fork/clone. > > WATCH_TASK_EXEC just before successfully returning from the exec > system call. > > WATCH_TASK_UID every time a task's real or effective user id changes. > > WATCH_TASK_GID every time a task's real or effective group id changes. > > WATCH_TASK_EXIT at the beginning of do_exit when a task is exiting > for any reason. > > WATCH_TASK_FREE is called before critical task structures like > the mm_struct become inaccessible and the task is subsequently freed. > > The next patch will add a debugfs interface for measuring fork and exit rates > which can be used to calculate the overhead of the task watcher > infrastructure. > > Subsequent patches will make use of task watchers to simplify fork, exit, > and many of the system calls that set [er][ug]ids. It's easier to get such watch capabilities by kprobe/systemtap. Why to add new codes to kernel?
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
