On Thu, Mar 26, 2020 at 7:49 PM Casey Schaufler <ca...@schaufler-ca.com> wrote: > > I'm looking at adding an audit record type for the case where > there are multiple security modules providing subject data. There > are several reasons to create a new record rather than adding the > additional information to existing records, including possible > size overflows and format compatibility. > > While working with the code I have found that it is much easier > if the new record (I'm calling it MAC_TASK_CONTEXTS) can be generated > before the "base" record, which could be a SYSCALL record, than > after it. Can I get away with this? I haven't seen any documentation > that says the CWD record has to follow the event's SYSCALL record, > but I wouldn't be at all surprised if it's implicitly assumed.
>From a kernel perspective, as long as the timestamp matches (so it's considered part of the same "event") I've got no problem with that. However, Steve's audit userspace has a lot of assumptions about how things are done so it's probably best that he comments on this so his tools don't blow up. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
