|
| From: | John Ogness |
| Subject: | Re: [Dazuko-help] detected file changes |
| Date: | Tue, 26 Apr 2005 17:59:00 +0200 |
| User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913 |
Stela Suciu wrote:
I run some tests with dazuko on a vanilla kernel 2.4.25. I noticed that calls like mkdir, mknod, rename, link, symlink, chmod ... do not generate any dazuko events.
Correct. Dazuko focussed on file access events (where file access is interpretted to mean accessing file contents). The system calls you listed involve creating or changing the file content "container", but not the content itself.
From a first look on the code, I drew the conclusion that the dazuko module only intercepts the open, dup, dup2, close, write, execve, unlink, rmdir system calls. This would mean that the file changes performed by other system calls are lost.
Correct.
So, the question is: is there currently any way to use dazuko for monitoring ALL the file changes (no matter what system call generates them) ?
It has been previously requested that Dazuko supports many more events. I agree that Dazuko should support all events that have anything to do with files (content or container).
At the moment Dazuko is transitioning from being based on the system call table to being based on a stackable filesystem (DazukoFS). A stackable filesystem sits much deeper in the kernel and "sees" a different set of events.
I am worried that if we introduce too many new event types right now (while being system call based) that we won't be able to support them later (when we are filesystem based).
After we move over to filesystem-based, we can begin looking at adding more events.
John Ogness -- Dazuko Maintainer
| [Prev in Thread] | Current Thread | [Next in Thread] |