From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [RFC PATCH 3/7] audit: allow systemd to use queue reserves Date: Thu, 05 Nov 2015 17:38:40 -0500 Message-ID: <1945739.qBIBrYXbVh@sifl> References: <5338619.9WBiI2UOhk@x2> <20151022195159.GD16212@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tA5MciQC029917 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 5 Nov 2015 17:38:44 -0500 Received: from mail-qg0-f41.google.com (mail-qg0-f41.google.com [209.85.192.41]) by mx1.redhat.com (Postfix) with ESMTPS id D9D8B8E371 for ; Thu, 5 Nov 2015 22:38:42 +0000 (UTC) Received: by qgeb1 with SMTP id b1so25725042qge.1 for ; Thu, 05 Nov 2015 14:38:42 -0800 (PST) In-Reply-To: <20151022195159.GD16212@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, October 22, 2015 03:51:59 PM Richard Guy Briggs wrote: > On 15/10/22, Steve Grubb wrote: > > On Thursday, October 22, 2015 02:53:16 PM Richard Guy Briggs wrote: > > > Treat systemd the same way as auditd, allowing it to overrun the queue > > > to avoid blocking. > > > > Do you mind explaining this a little more? I'm having a hard time > > understanding how systemd is involved. > > systemd should only have CAP_AUDIT_READ for the multicast socket and > otherwise behaves as a user client, sending AUDIT_USER_* messages. It > starts and stops auditd and we don't want it blocking trying to allocate > a buffer on the standard queue in audit_log_start() while it is tasked > with telling auditd to start or stop. Is this something we are hearing reports about? Starting and stopping auditd should be rare in normal use, and by rare I mean start it at boot and don't touch it again ... although I suspect you might update/patch it at some point if your system is long running. If this is a common problem we can look at doing something like this, but if it isn't - and I don't think it is - I'd like to avoid special casing init (it's even more specialized since we are basically talking about just systemd, although others could have similar problems). > > -Steve > > > > > Signed-off-by: Richard Guy Briggs > > > --- > > > > > > kernel/audit.c | 2 +- > > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > > index 3917aad..384a1a1 100644 > > > --- a/kernel/audit.c > > > +++ b/kernel/audit.c > > > @@ -1375,7 +1375,7 @@ struct audit_buffer *audit_log_start(struct > > > audit_context *ctx, gfp_t gfp_mask, return NULL; > > > > > > if (gfp_mask & __GFP_WAIT) { > > > > > > - if (audit_pid && audit_pid == current->tgid) > > > + if (current->tgid == 1 || (audit_pid && audit_pid == current- >tgid)) > > > > > > gfp_mask &= ~__GFP_WAIT; > > > > > > else > > > > > > reserve = 0; > > - RGB > > -- > Richard Guy Briggs > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > Red Hat Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- paul moore www.paul-moore.com