Re: [PATCH -v2 3/4] AUDIT: collect info when execve results in caps in pE

So here's the problem.... I can't fail this syscall, it's too late. I

can do a couple of things. 1) waste lots of space in the execve record so we know memory has already been allocated 2) just ignore the memory failure and don't worry about it. We are still going to get the fcaps info from the patch record and should be able to piece together the starting and finishing caps by looking at past audit records if you really need it. 3) I can call audit_log_lost(). I don't think we know are this time that we really needed this record, but this is the 'safest' approach. If people have their machines set to panic on lost records we would panic. Honestly though, if we don't have enough memory to satisfy this request (we're talking about 72 bytes or something?) we are going to fail the next audit message, so doing it now would be just fine. I vote #2 since I don't think we are really going to have any lose of info. But if people want it I'll go #3 since I don't think it will hurt anything.