Ugly but that bit probably ties in with all the other folks trying to put
together a unified security hook set for 2.5
> audit events are turned on (eg: open()), the user-space audit daemon cannot
> keep up with the kernel, and therefore my ring buffer fills. As such, we
> lose events.
>
> if(!write_io((io_class *)event))
> {
> // Couldnt write it out.
> // No space available in the ring buffer.
> signal=0;
> lost_events++;
> }
So why don't you block ? Obviously you must never block logging events
caused by the logging daemon itself but in the other cases since you are
logging before (and maybe after) a syscall rather than logging during the
syscall where locks may be held I dont see the problem
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/