multipart messages & delivery guarantees

multipart messages & delivery guarantees

[Hassan Sultan]

Hi,

Some events, such as execve or socket-related syscalls generate more than  
one message, which I'll separate as the "main" message, and then the 'sub'  
messages.

Does the audit system guarantee in any way that user-mode will receive  
either no message, or all messages for a given event ?

I'm curious to know if for example I could get an execve syscall message,  
but no cwd message, for example in case of low-memory condition.

Thanks,

Hassan

Re: multipart messages & delivery guarantees

[Steve Grubb]

On Sun, 22 Feb 2015 19:15:07 -0800
"Hassan Sultan" <hsultan@thefroid.net> wrote:
> Some events, such as execve or socket-related syscalls generate more
> than one message, which I'll separate as the "main" message, and then
> the 'sub' messages.
> 
> Does the audit system guarantee in any way that user-mode will
> receive either no message, or all messages for a given event ?

If a syscall cannot be audited, the syscall has to fail.

 
> I'm curious to know if for example I could get an execve syscall
> message, but no cwd message, for example in case of low-memory
> condition.

I suppose it depends on where in the processing an error occurs. Some
failure modes if selected cause a system panic. You'll probably want to
look through the kernel source code to be sure.

-Steve