Audit Kernel Events, weekly report #7

[Efstratios Karatzas]

I spent this week going through my code, making notes & testing
things; I spotted a few minor bugs and I just merged the fixes with
perforce.
More importantly, I finished the pseudo-algorithm that solves the
issue of handling multiple simultaneous audit records per kernel
thread. It involves handling a tree like data structure; this is a
short description:
Every time we come across a new sec event inside the kernel
(AUDIT_something_ENTER()), the tree grows (the new kaudit record is
the child of the current kaudit record), we switch the auditing flag
accordingly and the thread's td_ar now points to the new
kaudit_record.
When the event is finished (AUDIT_something_EXIT()), the auditing flag
switches back to the value of our parent sec event and td_ar now
points to the parent kaudit_record. If we exited the sec event that is
the root of our tree, we commit the whole tree to the auditing daemon
in preorder.

The only thing left to do is turn this into code. I've already begun
working on this and I'm confident that it won't be long before there's
a working version in perforce.

Thank you

-- 

Efstratios "GPF" Karatzas