[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: altering audit_log_start



On Wednesday 16 March 2005 12:22 pm, Steve Grubb wrote:
> On Wednesday 16 March 2005 12:58, Timothy R. Chavez wrote:
> > Any opinions on the matter?
>
> It fails for 2 reasons, out of memory and backlog limit. If you're out of
> memory, there's not much you can do. If you hit the backlog limit, there's
> still not much you can do.

You can propigate the -ENOMEM message  To me, that's the correct thing to do.  
I think this comes down to "What do you consider good error handling?" When 
you can fail out of a function for more then one reason, I think that the 
caller is owed an explanation in the form of an errno regardless of whether 
or not we're able to recover from the failure.

>
> Before the flow of control is back in the caller, it will consult
> audit_failure and either panic, print a message, or ignore it. In a CAPP
> setting, I think they will be running in panic mode. Any lost message is a
> problem.

Yes, I suppose this is what's happening.  So I guess it doesn't matter.

>
> So, if you get a failure returned, they are either in print or ignore mode.
> In either case, they have chosen to live with lost messages.
>
> Out of curiosity...what would you do to handle the backlog limit?

Not sure.  I haven't really given it any consideration.  I suppose I'd pass an 
-EAGAIN, sleep, and try again.

>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit redhat com
> http://www.redhat.com/mailman/listinfo/linux-audit

-- 
-tim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]