On Thu, Nov 17, 2011 at 05:05:11PM -0500, Eric Paris wrote: > For _at type syscalls (like openat) we do not collect any information about > the dfd. This patch grabs a reference to the path of all fd's passed to > the kernel. We free those on syscall exit. We will then output those paths > as inode records and use the path information to generate better pathnames if > possible.
I think this is bogus. If nothing else, if you want dfd, then by damn collect that information *when* *you* *are* *starting* *a* *lookup*. Not on every bleeding fget(), no matter why and by whom had it been called. FWIW, hooking into getname() also had always looked wrong, for much the same reasons... -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
