Re: multipart messages & delivery guarantees
On Sun, 22 Feb 2015 19:15:07 -0800
"Hassan Sultan" <hsultan(a)thefroid.net> wrote:
Some events, such as execve or socket-related syscalls generate more
than one message, which I'll separate as the "main" message, and then
the 'sub' messages.
Does the audit system guarantee in any way that user-mode will
receive either no message, or all messages for a given event ?
If a syscall cannot be audited, the syscall has to fail.
I'm curious to know if for example I could get an execve syscall
message, but no cwd message, for example in case of low-memory
condition.
I suppose it depends on where in the processing an error occurs. Some
failure modes if selected cause a system panic. You'll probably want to
look through the kernel source code to be sure.
-Steve