Re: [PATCH 8/8] audit: add audit_backlog_wait_time configuration option

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Paris <eparis@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
	Steve Grubb <sgrubb@redhat.com>,
	Konstantin Khlebnikov <khlebnikov@openvz.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Dan Duval <dan.duval@oracle.com>,
	Chuck Anderson <chuck.anderson@oracle.com>,
	Guy Streeter <streeter@redhat.com>,
	Oleg Nesterov <oleg@redhat.com>
Subject: Re: [PATCH 8/8] audit: add audit_backlog_wait_time configuration option
Date: Wed, 18 Sep 2013 16:33:25 -0400	[thread overview]
Message-ID: <1379536405.3032.61.camel@localhost> (raw)
In-Reply-To: <863f1daf3a84b52ae5054f5d232b205ae5caab83.1379530867.git.rgb@redhat.com>

On Wed, 2013-09-18 at 15:06 -0400, Richard Guy Briggs wrote:
> reaahead-collector abuses the audit logging facility to discover which files
> are accessed at boot time to make a pre-load list
> 
> Add a tuning option to audit_backlog_wait_time so that if auditd can't keep up,
> or gets blocked, the callers won't be blocked.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  include/uapi/linux/audit.h |    2 ++
>  kernel/audit.c             |   22 +++++++++++++++++++++-
>  2 files changed, 23 insertions(+), 1 deletions(-)
> 
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 75cef3f..493a66e 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -316,6 +316,7 @@ enum {
>  #define AUDIT_STATUS_PID		0x0004
>  #define AUDIT_STATUS_RATE_LIMIT		0x0008
>  #define AUDIT_STATUS_BACKLOG_LIMIT	0x0010
> +#define AUDIT_STATUS_BACKLOG_WAIT_TIME	0x0020
>  				/* Failure-to-log actions */
>  #define AUDIT_FAIL_SILENT	0
>  #define AUDIT_FAIL_PRINTK	1
> @@ -367,6 +368,7 @@ struct audit_status {
>  	__u32		backlog_limit;	/* waiting messages limit */
>  	__u32		lost;		/* messages lost */
>  	__u32		backlog;	/* messages waiting in queue */
> +	__u32		backlog_wait_time;/* message queue wait timeout */
>  };
>  
>  struct audit_tty_status {
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 3d17670..fc535b6 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -321,6 +321,12 @@ static int audit_set_backlog_limit(int limit)
>  	return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
>  }
>  
> +static int audit_set_backlog_wait_time(int timeout)
> +{
> +	return audit_do_config_change("audit_backlog_wait_time",
> +				      &audit_backlog_wait_time, timeout);
> +}
> +
>  static int audit_set_enabled(int state)
>  {
>  	int rc;
> @@ -669,6 +675,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  		s.backlog_limit = audit_backlog_limit;
>  		s.lost		 = atomic_read(&audit_lost);
>  		s.backlog	 = skb_queue_len(&audit_skb_queue);
> +		s.backlog_wait_time = audit_backlog_wait_time;
>  		audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
>  				 &s, sizeof(s));
>  		break;
> @@ -701,8 +708,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  			if (err < 0)
>  				return err;
>  		}
> -		if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT)
> +		if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) {
>  			err = audit_set_backlog_limit(s.backlog_limit);
> +			if (err < 0)
> +				return err;
> +		}
> +		if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) {
> +			if (sizeof(s) > (size_t)nlh->nlmsg_len)
> +				break;

What gets returned here?  I think err has a value of 0, but it doesn't
seem to have been clearly intentional.  If they know about the
AUDIT_STATUS_BACKLOG_WAIT_TIME flag, but they didn't send a long enough
skb?  That seems like an error condition....

> +			if (s.backlog_wait_time < 0 ||
> +			    s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME)
> +				return -EINVAL;
> +			err = audit_set_backlog_wait_time(s.backlog_wait_time);
> +			if (err < 0)
> +				return err;
> +		}
>  		break;
>  	}
>  	case AUDIT_USER:

next prev parent reply	other threads:[~2013-09-18 20:33 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-28 22:21 [RFC] audit: avoid soft lockup in audit_log_start() Luiz Capitulino
2013-08-28 22:33 ` Andrew Morton
2013-08-28 22:54   ` Luiz Capitulino
2013-08-28 23:08     ` Andrew Morton
2013-08-29  0:49       ` Luiz Capitulino
2013-08-30 18:23       ` Luiz Capitulino
2013-09-09 14:32 ` Konstantin Khlebnikov
2013-09-09 14:54   ` Luiz Capitulino
2013-09-09 15:19     ` Konstantin Khlebnikov
2013-09-09 15:29       ` Luiz Capitulino
2013-09-09 15:42         ` Konstantin Khlebnikov
2013-09-10 16:03   ` Eric Paris
2013-09-10 17:45     ` Luiz Capitulino
2013-09-17 22:28     ` Andrew Morton
2013-09-17 22:54       ` Luiz Capitulino
2013-09-18  1:57       ` Richard Guy Briggs
2013-09-18  9:48       ` [PATCH] audit: fix endless wait " Konstantin Khlebnikov
2013-09-18 13:31         ` Richard Guy Briggs
2013-09-18 19:06       ` [PATCH 0/8] Audit backlog queue fixes related to soft lockup Richard Guy Briggs
2013-09-18 19:06         ` [PATCH 1/8] audit: avoid soft lockup due to audit_log_start() incorrect loop termination Richard Guy Briggs
2013-09-18 19:06         ` [PATCH 2/8] audit: reset audit backlog wait time after error recovery Richard Guy Briggs
2013-09-18 19:06         ` [PATCH 3/8] audit: make use of remaining sleep time from wait_for_auditd Richard Guy Briggs
2013-09-18 19:06         ` [PATCH 4/8] audit: efficiency fix 1: only wake up if queue shorter than backlog limit Richard Guy Briggs
2013-09-18 19:06         ` [PATCH 5/8] audit: efficiency fix 2: request exclusive wait since all need same resource Richard Guy Briggs
2013-09-18 19:06         ` [PATCH 6/8] audit: add boot option to override default backlog limit Richard Guy Briggs
2013-09-18 19:06         ` [PATCH 7/8] audit: clean up AUDIT_GET/SET local variables and future-proof API Richard Guy Briggs
2013-09-19 21:18           ` Steve Grubb
2013-09-20 14:47             ` Eric Paris
2013-09-23 16:38               ` Richard Guy Briggs
2013-09-18 19:06         ` [PATCH 8/8] audit: add audit_backlog_wait_time configuration option Richard Guy Briggs
2013-09-18 20:33           ` Eric Paris [this message]
2013-09-18 20:49             ` Richard Guy Briggs
2013-09-18 20:54               ` Eric Paris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1379536405.3032.61.camel@localhost \
    --to=eparis@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=chuck.anderson@oracle.com \
    --cc=dan.duval@oracle.com \
    --cc=khlebnikov@openvz.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oleg@redhat.com \
    --cc=rgb@redhat.com \
    --cc=sgrubb@redhat.com \
    --cc=streeter@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.