Quoting Eric Paris ([EMAIL PROTECTED]): > So here's the problem.... I can't fail this syscall, it's too late. I
Oh, right... > can do a couple of things. > > 1) waste lots of space in the execve record so we know memory has > already been allocated > 2) just ignore the memory failure and don't worry about it. We are > still going to get the fcaps info from the patch record and should be > able to piece together the starting and finishing caps by looking at > past audit records if you really need it. > 3) I can call audit_log_lost(). I don't think we know are this time > that we really needed this record, but this is the 'safest' approach. > If people have their machines set to panic on lost records we would > panic. Honestly though, if we don't have enough memory to satisfy this > request (we're talking about 72 bytes or something?) we are going to > fail the next audit message, so doing it now would be just fine. > > I vote #2 since I don't think we are really going to have any lose of > info. But if people want it I'll go #3 since I don't think it will hurt > anything. 2 sounds reasonable to me. Reckon sgrubb will speak up if it violates some audit requirement. thanks, -serge -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
