You're right...I am not talking about blocking at all -- which may be a further indication that I am missing the specific point of this thread. But be that as it may... I don't want to have to use more than one interface to get all the events I am interested in. I want to register as a client and listen, and get everything I need from the same place. Also, it seems to me that for my purposes, close is discrete enough. It tells me that there is now something out there that should be looked at. Jon -----Original Message----- From: Arjan van de Ven [mailto:arjan@infradead.org] Sent: Tuesday, August 05, 2008 2:28 PM To: Press, Jonathan Cc: Eric Paris; Greg KH; linux-kernel@vger.kernel.org; malware-list@lists.printk.net; linux-security-module@vger.kernel.org Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning On Tue, 5 Aug 2008 14:04:26 -0400 "Press, Jonathan" <Jonathan.Press@ca.com> wrote:but close is... very limited in value. Open is a discrete event traditionally associated withh permission checks. Close... not so. (And if you mmap memory, you can then close the file and still write to it via the mmap) Lets ask it differently: what will you do if you find something nasty? You can't fail the close... so why block for it? And if you don't block for it... all you would need is an asynchronous notification... something like... inotify --
| Ingo Molnar | Re: x86: 4kstacks default |
| Gabriel C | modpost errors ( Re: 2.6.23-rc6-mm1) |
| Bart Van Assche | Integration of SCST in the mainstream Linux kernel |
| Press, Jonathan | RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface foron access scann... |
git: | |
| David Miller | Re: iptables very slow after commit784544739a25c30637397ace5489eeb6e15d7d49 |
| Natalie Protasevich | [BUG] New Kernel Bugs |
| Jarek Poplawski | [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock(). |
| Gerrit Renker | [PATCH 13/37] dccp: Deprecate Ack Ratio sysctl |
