Name

__audit_inode_child — collect inode info for created/removed objects

Synopsis

void __audit_inode_child (const char * dname,
 const struct inode * inode,
 const struct inode * parent);
 

Arguments

dname

inode's dentry name

inode

inode being audited

parent

inode of dentry parent

Description

For syscalls that create or remove filesystem objects, audit_inode can only collect information for the filesystem object's parent. This call updates the audit context with the child's information. Syscalls that create a new filesystem object must be hooked after the object is created. Syscalls that remove a filesystem object must be hooked prior, in order to capture the target inode during unsuccessful attempts.