Re: stacker and vm_enough_memory

From: serue@private
Date: Thu Jun 30 2005 - 06:45:40 PDT


Quoting Tony Jones (tonyj@private):
> > Clearly, you can't intelligently audit from a module since you have no idea 
> > as to what use the caller intends to make of your information (or down the 
> > road if stacker was to do something different from RETURN_ERROR_IF_ANY_ERROR).
> 
> I guess I should ammend that to say that you can't log using a simplistic
> method.  I should look at the kernel audit subsystem to see if higher levels 
> can generate an audit based on what they did with the capable data (i.e reject),
> which an automated tool could combine with audit data from the module to 
> suggest policy changes.

Exactly, if the lower levels can't distinguish between two types of
requests, maybe the user-space audit daemon can look at multiple entries
for a single process/event and consolidate/interpret them.

This might be easier if you use audit_log rather than printk, as you
should be able to get a single serial number for the messages from one
syscall.

-serge



This archive was generated by hypermail 2.1.3 : Thu Jun 30 2005 - 06:40:22 PDT