[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: handling disk full

On Wed, 2004-12-15 at 13:01, Klaus Weidner wrote:
> Keep in mind that the CAPP audit requirements are fairly independent from
> the SELinux uses of the audit subsystem. 
> CAPP requires that specific actions don't complete if they can't be
> audited, and those events will in general occur from a syscall context
> where a sleep should not be a problem.

1) What does "can't be audited" mean - that we couldn't send the audit
record to userspace or that it couldn't reach the disk?
2) Even from process context, you'd have to make sure that the caller is
never holding a lock when it calls audit_log*.

> The events generated by SELinux are not required by CAPP, and it's not a
> problem for CAPP compliance if those messages get discarded if there is
> no room for them and the kernel can't sleep.

Possibly, but audit_log* can't automatically detect whether it is safe
to sleep.  Caller will have to provide that information via a flag or
alternate interface.  

In any event, use of sigsuspend seems questionable.

Stephen Smalley <sds epoch ncsc mil>
National Security Agency

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]