Re: handling disk full
* Klaus Weidner (klaus(a)atsec.com) wrote:
On Wed, Dec 15, 2004 at 10:53:33AM -0800, Chris Wright wrote:
> The best you could do is wait until syscall exit and queue up processes
> then. The action will have taken place, but the caller wouldn't get
> scheduled until it's awoken by audit system. (This doesn't help for the
> case of creating something that another process could then use, as it
> will exist, and the other process's access to object may not be an
> auditable event).
That won't do, the CAPP requirement is specifically that the action is
prevented. The approach you describe could be abused to do arbitrarily
many audit-required events by forking separate processes for them if you
don't care about them getting stuck afterwards.
Your alternative is to create a blocking version and then make sure
it's not called with locks held. Or create some reservation scheme on
syscall entry, which could be tough with multiple auditable events in
one syscall.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net