From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <5548C89D.2020601@tycho.nsa.gov> Date: Tue, 05 May 2015 09:41:49 -0400 From: Stephen Smalley MIME-Version: 1.0 To: Zhi Xin , Gaurav Gangwar Subject: Re: Give out all the avc logs in ome time References: In-Reply-To: Content-Type: text/plain; charset=windows-1252 Cc: "seandroid-list@tycho.nsa.gov" , "selinux@tycho.nsa.gov" List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 05/05/2015 04:55 AM, Zhi Xin wrote: > (1) avc size > > I’m reading the code under > > /kernel/security/selinux/avc.c > > > > I noticed that there are some macro like > > #define AVC_DEF_CACHE_THRESHOLD 512 > > #define AVC_CACHE_SLOTS 512 > > > > Are they some kind of threshold ? If the size of avc log reported is > bigger than that, new avc will be abandoned ? No, that has nothing to do with auditing. Just the size of the cache. > (2) audit subsystem may drop some record when it’s satisfied with some > condition like > > > > /kernel/kernel/audit.c > > 115 /* Records can be lost in several ways: > > 116 0) [suppressed in audit_alloc] > > 117 1) out of memory in audit_log_start [kmalloc of struct audit_buffer] > > 118 2) out of memory in audit_log_move [alloc_skb] > > 119 3) suppressed due to audit_rate_limit > > 120 4) suppressed due to audit_backlog_limit > > 121 */ > > > > Any comments on these two ? Yes, one of the above cases is the most likely reason you are losing audit messages. You can set the audit_rate_limit to zero to disable ratelimiting of audit messages by removing the code from system/core/logd/libaudit.c that sets it. You could set the audit_backlog_limit to zero either by patching your kernel or by modifying logd to set it. You can patch your kernel to disable printk_ratelimit from being applied when sending audit messages to the kernel ring buffer.