From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit issue
Date: Thu, 8 Nov 2007 09:47:40 -0500
Message-ID: <200711080947.41645.sgrubb@redhat.com>
References: <200710301248.24261.sgrubb@redhat.com>
	<200711080927.14472.sgrubb@redhat.com>
	<20071108143218.GB28304@devserv.devel.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20071108143218.GB28304@devserv.devel.redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Alexander Viro <aviro@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 08 November 2007 09:32:18 Alexander Viro wrote:
> > Thanks for posting this patch. Is it impossible to "repair " processes by
> > simply adding a context if the pointer is NULL?
>
> At which point would you do that?

Possibly on syscall exit? Shouldn't the kernel have released all locks by that 
point? And what about syscall entry...isn't that before any locking starts to 
occur?

> I'd rather not try to play with locking, etc., when we set audit_enabled to
> non-zero...

Sure.

> Especially when there's a trivially non-intrusive patch.

True, but I'm thinking this will cause performance to go down if the audit 
system was ever enabled. It doesn't look as bad as the audit system actually 
being on, but it may be doing unnecessary allocations I think.

-Steve