__audit_inode_child — collect inode info for created/removed objects
void __audit_inode_child
(const char * dname, const struct inode * inode, const struct inode * parent);
inode's dentry name
inode being audited
inode of dentry parent
For syscalls that create or remove filesystem objects, audit_inode can only collect information for the filesystem object's parent. This call updates the audit context with the child's information. Syscalls that create a new filesystem object must be hooked after the object is created. Syscalls that remove a filesystem object must be hooked prior, in order to capture the target inode during unsuccessful attempts.