Re: handling disk full
On Wed, Dec 15, 2004 at 10:53:33AM -0800, Chris Wright wrote:
The best you could do is wait until syscall exit and queue up
processes
then. The action will have taken place, but the caller wouldn't get
scheduled until it's awoken by audit system. (This doesn't help for the
case of creating something that another process could then use, as it
will exist, and the other process's access to object may not be an
auditable event).
That won't do, the CAPP requirement is specifically that the action is
prevented. The approach you describe could be abused to do arbitrarily
many audit-required events by forking separate processes for them if you
don't care about them getting stuck afterwards.
-Klaus