From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Weidner <klaus@atsec.com>
Subject: Re: Watch Performance
Date: Mon, 17 Apr 2006 15:06:56 -0500
Message-ID: <20060417200656.GA31654@w-m-p.com>
References: <200604081221.58080.sgrubb@redhat.com>
	<200604110626.26843.sgrubb@redhat.com>
	<20060411161141.GA16506@zk3.dec.com>
	<200604111701.23649.sgrubb@redhat.com>
	<20060412211541.GA30952@zk3.dec.com>
	<1145287654.3590.10.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.11.6) with ESMTP id
	k3HK7JDQ013472
	for <linux-audit@redhat.com>; Mon, 17 Apr 2006 16:07:19 -0400
Received: from mail.atsec.com (mail.atsec.com [195.30.252.105])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k3HK77IP001735
	for <linux-audit@redhat.com>; Mon, 17 Apr 2006 16:07:13 -0400
Content-Disposition: inline
In-Reply-To: <1145287654.3590.10.camel@localhost.localdomain>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Timothy R. Chavez" <tinytim@us.ibm.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Mon, Apr 17, 2006 at 10:27:34AM -0500, Timothy R. Chavez wrote:
> Maybe this is a completely stupid thought, but what about the option of
> adding a per-syscall filter list table, indexed by system-call number.

That's how LAuS worked... You'd need to support multiple lists to handle
multiple personalities (ie 32bit code running on x86_64).

The amount of space used isn't too bad; it would also be possible to use
reference counting to share entries for identical rules.

-Klaus