Re: [2.6.16-rc6-m1 PATCH] Connector: Filesystem Events Connector try 2

[Yi Yang <yang.y.yi@gmail.com>]

Andrew Morton wrote:
> Yi Yang <yang.y.yi@gmail.com> wrote:
>   
>> This new patch is update for last patch, it removes spinlock and
>> makes include/linux/fsnotify.h more clean when CONFIG_FS_EVENTS=n,
>> it also reformats some too long lines so that they are less than 80
>> columns.
>>
>> This patch implements a new connector, Filesystem Event Connector,
>>  the user can monitor filesystem activities via it, currently, it
>>  can monitor access, attribute change, open, create, modify, delete,
>>  move and close of any file or directory.
>>
>> Every filesystem event will include tgid, uid and gid of the process
>>  which triggered this event, process name, file or directory name 
>> operated by it.
>>     
>
> That would seem to have some privacy implications...
>
> I'd expect that all the info which is needed can be obtained via syscall
> auditing.
>   
Yes, but if enabling syscall audit, all the syscalls will be audited, so 
every syscall will add overhead, moreover
, it will not only send log to klog or system log, but also it will send 
netlink message.

Filesystem events connector is very simple functionally, it just focuses 
on filesystem activities. Process Events
 Connector(cn_proc) is a very typical case.
> I don't recall having seen demand for this feature before.  For what reason
> is it needed?  What is the application?
>   
Anti-virus software can use this feature to monitor malign software's 
activities, foe example, modify system
configuration or critical share libraries. Some system administration 
applications can use to obtain filesystem
 activities of every user in order to diagnose some system troubles.