On Tue, 06 May 2014 10:57:30 -0400 Eric Paris <[email protected]> wrote:
> On Mon, 2014-05-05 at 17:10 -0400, Steve Grubb wrote: > > On Mon, 5 May 2014 16:41:53 -0400 > > Richard Guy Briggs <[email protected]> wrote: > > > > > Only problem is, it doesn't work. What assumptions am I making > > > that aren't valid about the approach in this kernel code? > > > > > > I also considered adding the path string pointer to the struct > > > audit_field. > > > > > > Any suggestions? > > > > What I was thinking about is that it should work a lot like a watch > > for > > We agree up to this point. > > > execution except when the watch triggers, it actually fills in a pid > > field for a syscall rule and loads it instead of emitting an event. > > And now we disagree. That's fine. It was only a suggestion. As long as the effect is the same, I don't care how its implemented. :-) -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
