Re: [Announce] Non Invasive Kernel Monitor for threads/processes

[Rusty Lynch]

> Andrew Morton wrote:
> >Atul Sabharwal <atul_sabharwal@xxxxxxxxxxxxxxxxxx> wrote:
> >>We have been working with a solution for non-intrusively trapping on 
> >>lifetime
> >>of processes/threads.
> >>   
> >>
> >
> >I expect this functionality can be provided without kernel changes via
> >auditing of the relevant system calls.  See
> >http://people.redhat.com/faith/audit/.

If a process segfaults is there currently a message sent from the auditing
code?

> >Maybe there are shortcomings in the current auditing/filtering framework. 
> >If so, perhaps they could be addressed.

I have worries about both the complexity required from the client for just
monitoring the life time of a process/thread, and the overhead of doing
this with the auditing/netlink implementation, but do not have any proof.

We can take a crack at implementing a couple of hello world monitors for
process/thread creation and exec'ing, and come back with any limitations
in the existing auditing code that would make this particular type of 
monitoring painful.

    --rustyl
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/