Yi Yang <yang.y.yi@xxxxxxxxx> wrote:Yes, but if enabling syscall audit, all the syscalls will be audited, so every syscall will add overhead, moreover
This new patch is update for last patch, it removes spinlock and
makes include/linux/fsnotify.h more clean when CONFIG_FS_EVENTS=n,
it also reformats some too long lines so that they are less than 80
This patch implements a new connector, Filesystem Event Connector,
the user can monitor filesystem activities via it, currently, it
can monitor access, attribute change, open, create, modify, delete,
move and close of any file or directory.
Every filesystem event will include tgid, uid and gid of the process
which triggered this event, process name, file or directory name operated by it.
That would seem to have some privacy implications...
I'd expect that all the info which is needed can be obtained via syscall
I don't recall having seen demand for this feature before. For what reasonAnti-virus software can use this feature to monitor malign software's activities, foe example, modify system
is it needed? What is the application?