Re: [2.6.16-rc6-m1 PATCH] Connector: Filesystem Events Connectortry 2

From: Yi Yang
Date: Thu Mar 16 2006 - 20:21:57 EST


Andrew Morton wrote:
Yi Yang <yang.y.yi@xxxxxxxxx> wrote:
This new patch is update for last patch, it removes spinlock and
makes include/linux/fsnotify.h more clean when CONFIG_FS_EVENTS=n,
it also reformats some too long lines so that they are less than 80
columns.

This patch implements a new connector, Filesystem Event Connector,
the user can monitor filesystem activities via it, currently, it
can monitor access, attribute change, open, create, modify, delete,
move and close of any file or directory.

Every filesystem event will include tgid, uid and gid of the process
which triggered this event, process name, file or directory name operated by it.

That would seem to have some privacy implications...

I'd expect that all the info which is needed can be obtained via syscall
auditing.
Yes, but if enabling syscall audit, all the syscalls will be audited, so every syscall will add overhead, moreover
, it will not only send log to klog or system log, but also it will send netlink message.

Filesystem events connector is very simple functionally, it just focuses on filesystem activities. Process Events
Connector(cn_proc) is a very typical case.
I don't recall having seen demand for this feature before. For what reason
is it needed? What is the application?
Anti-virus software can use this feature to monitor malign software's activities, foe example, modify system
configuration or critical share libraries. Some system administration applications can use to obtain filesystem
activities of every user in order to diagnose some system troubles.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/