audit_log_drain
Steve Grubb
sgrubb at redhat.com
Wed Apr 6 16:00:29 UTC 2005
Hello,
There's design flaw (in my opinion) regarding how this function works. It's
purpose is to try to send packets to userspace. It calls netlink_unicast. If
the return value is < 0, it claims the netlink socket is too busy and marks a
packet as lost.
The fact is that as long as we have space in the backlog, we don't have to
lose a packet do we? Can we not defer claiming we've lost one and try again
later? What is the purpose of the backlog if we can't defer delivery? Also,
shouldn't we put retval in the "too busy" message to help troubleshooting?
-Steve
More information about the Linux-audit
mailing list