Quoting Tony Jones (tonyj@private): > > Clearly, you can't intelligently audit from a module since you have no idea > > as to what use the caller intends to make of your information (or down the > > road if stacker was to do something different from RETURN_ERROR_IF_ANY_ERROR). > > I guess I should ammend that to say that you can't log using a simplistic > method. I should look at the kernel audit subsystem to see if higher levels > can generate an audit based on what they did with the capable data (i.e reject), > which an automated tool could combine with audit data from the module to > suggest policy changes. Exactly, if the lower levels can't distinguish between two types of requests, maybe the user-space audit daemon can look at multiple entries for a single process/event and consolidate/interpret them. This might be easier if you use audit_log rather than printk, as you should be able to get a single serial number for the messages from one syscall. -serge
This archive was generated by hypermail 2.1.3 : Thu Jun 30 2005 - 06:40:22 PDT