Creating an Audit Library
An audit library is built like any other shared object. However, the audit libraries unique namespace within a process requires some additional care.
-
The library must provide all dependency requirements.
-
The library should not use system interfaces that do not provide for multiple instances of the interface within a process.
If an audit library references external interfaces, then the audit library must
define the dependency that provides the interface definition. For example, if the
audit library calls
printf
(3C), then the audit library must define a dependency on
libc
. See Generating a Shared Object Output File. Because the audit library has a unique name
space, symbol references cannot be satisfied by the libc
that
is present in the application being audited. If an audit library has a dependency on
libc
, then two versions of libc.so.1
are loaded into the process. One version satisfies the binding requirements of the
application link-map list. The other version satisfies the binding requirements of
the audit link-map list.
To ensure that audit libraries are built with all dependencies recorded, use the link-editors -z defs
option.
Some system interfaces assume that the interfaces are the only instance of their implementation within a process. Examples of such implementations are signals and
malloc
(3C). Audit libraries should avoid using such interfaces, as doing so can inadvertently alter the behavior of the application.
Note:
An audit library can allocate memory usingmapmalloc
(3MALLOC), as this allocation method can exist with any allocation scheme normally employed by the application.