handling disk full
Chris Wright
chrisw at osdl.org
Wed Dec 15 22:04:28 UTC 2004
* Klaus Weidner (klaus at atsec.com) wrote:
> On Wed, Dec 15, 2004 at 10:53:33AM -0800, Chris Wright wrote:
> > The best you could do is wait until syscall exit and queue up processes
> > then. The action will have taken place, but the caller wouldn't get
> > scheduled until it's awoken by audit system. (This doesn't help for the
> > case of creating something that another process could then use, as it
> > will exist, and the other process's access to object may not be an
> > auditable event).
>
> That won't do, the CAPP requirement is specifically that the action is
> prevented. The approach you describe could be abused to do arbitrarily
> many audit-required events by forking separate processes for them if you
> don't care about them getting stuck afterwards.
Your alternative is to create a blocking version and then make sure
it's not called with locks held. Or create some reservation scheme on
syscall entry, which could be tough with multiple auditable events in
one syscall.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list