I'm looking at adding an audit record type for the case where there are multiple security modules providing subject data. There are several reasons to create a new record rather than adding the additional information to existing records, including possible size overflows and format compatibility.
While working with the code I have found that it is much easier if the new record (I'm calling it MAC_TASK_CONTEXTS) can be generated before the "base" record, which could be a SYSCALL record, than after it. Can I get away with this? I haven't seen any documentation that says the CWD record has to follow the event's SYSCALL record, but I wouldn't be at all surprised if it's implicitly assumed. Thanks. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
