Re: handling disk full
* Mounir Bsaibes (bsaibes(a)us.ibm.com) wrote:
We are talking about 2 different things: 1) handling disk full 2)
suspending the process whenever there are no kernel resources.
1) For handling disk full I am doing the following:
Whenever the disk full (or log reached its limit) is detected the auditd
sends an AUDIT_SUSPEND message to the kernel. On receipt of this message
the kernel will set a flag "disk_full_flag". If this disk_full_flag is
set audit_log_start will call audit_suspend to queue the process in a wait
queue. Whenever the disk_full_flag is reset all the processes in the wait
queue will be rescheduled.
Look at audit_log_start callers. They include avc_perm, which can happen
in interrupt context. Notice audit_log_start() is already coded to be
called from nearly any context, it uses _irq versions of spinlock and
does GFP_ATOMIC allocations.
2) For suspending the process whenever there are no kernel
resources:
I was thinking of using sigsuspend whenever audit_log_lost is called
depending on the "failure flag". The failure flag currently can be set
,only, to: do nothing, print a message or panic. I was thinking to add a
fourth option to this flag to suspend the processes.
sigsuspend puts the process in the TASK_INTERRUPTIBLE state, the process
will only wake up when a nonignored, nonblocked signal is sent to it. From
the dicussion so far this may not be a good way to go about solving this
requirement, specially if the process is holding locks or whatever. I need
to either add to this solution or come up with a different one.
The best you could do is wait until syscall exit and queue up processes
then. The action will have taken place, but the caller wouldn't get
scheduled until it's awoken by audit system. (This doesn't help for the
case of creating something that another process could then use, as it
will exist, and the other process's access to object may not be an
auditable event).
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net