[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: handling disk full



* Klaus Weidner (klaus atsec com) wrote:
> On Wed, Dec 15, 2004 at 10:53:33AM -0800, Chris Wright wrote:
> > The best you could do is wait until syscall exit and queue up processes
> > then.  The action will have taken place, but the caller wouldn't get
> > scheduled until it's awoken by audit system.  (This doesn't help for the
> > case of creating something that another process could then use, as it
> > will exist, and the other process's access to object may not be an
> > auditable event).
> 
> That won't do, the CAPP requirement is specifically that the action is
> prevented. The approach you describe could be abused to do arbitrarily
> many audit-required events by forking separate processes for them if you
> don't care about them getting stuck afterwards.

Your alternative is to create a blocking version and then make sure
it's not called with locks held.  Or create some reservation scheme on
syscall entry, which could be tough with multiple auditable events in
one syscall.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]