On Tue, 2010-08-24 at 12:16 +1000, Anton Blanchard wrote: > Hi Eric, > > > I don't think this works at all. I don't see how syscall audit'ing can > > work. What if I have nothing in the AUDIT_FILTER_TASK list but I want > > to audit all 'open(2)' syscalls? This patch is going to leave the task > > in the DISABLED state and we won't ever be able to match on the syscall > > rules. > > That's a good point. What if we went through and created an audit context > for each thread at the point where we add a rule to the audit subsystem? > > That would make the common case where no one touches audit go fast. It's > only once you add a rule that you get the syscall entry/exit overhead of > audit. > > Anton
It might be viable but I certainly couldn't say. I'm a bit scared of allocating and attaching a struct audit_context to a running task as we have no idea if that task is about to exit a syscall with an unfilled out audit_context struct nor do I personally off the top of my head know the task flag setting rules (especially when you want to set other people's flags) Maybe another approach would be to move audit_alloc() into the syscall entry path rather than only at fork(). I think the best solution is going to be some better way of setting/clearing TIF_SYSCALL_AUDIT. (notice the thing is never cleared, ever, today) -Eric -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
