Re: [PATCH 8/8] audit: add audit_backlog_wait_time configuration option

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Richard Guy Briggs <rgb@redhat.com>
To: linux-audit@redhat.com, linux-kernel@vger.kernel.org
Cc: Eric Paris <eparis@redhat.com>, Steve Grubb <sgrubb@redhat.com>,
	Konstantin Khlebnikov <khlebnikov@openvz.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Dan Duval <dan.duval@oracle.com>,
	Chuck Anderson <chuck.anderson@oracle.com>,
	Guy Streeter <streeter@redhat.com>,
	Oleg Nesterov <oleg@redhat.com>
Subject: Re: [PATCH 8/8] audit: add audit_backlog_wait_time configuration option
Date: Wed, 18 Sep 2013 16:49:49 -0400	[thread overview]
Message-ID: <20130918204949.GI13968@madcap2.tricolour.ca> (raw)
In-Reply-To: <1379536405.3032.61.camel@localhost>

On Wed, Sep 18, 2013 at 04:33:25PM -0400, Eric Paris wrote:
> On Wed, 2013-09-18 at 15:06 -0400, Richard Guy Briggs wrote:
> > reaahead-collector abuses the audit logging facility to discover which files
> > are accessed at boot time to make a pre-load list
> > 
> > Add a tuning option to audit_backlog_wait_time so that if auditd can't keep up,
> > or gets blocked, the callers won't be blocked.

> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 3d17670..fc535b6 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -701,8 +708,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> >  			if (err < 0)
> >  				return err;
> >  		}
> > -		if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT)
> > +		if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) {
> >  			err = audit_set_backlog_limit(s.backlog_limit);
> > +			if (err < 0)
> > +				return err;
> > +		}
> > +		if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) {
> > +			if (sizeof(s) > (size_t)nlh->nlmsg_len)
> > +				break;
> 
> What gets returned here?  I think err has a value of 0, but it doesn't
> seem to have been clearly intentional.  If they know about the
> AUDIT_STATUS_BACKLOG_WAIT_TIME flag, but they didn't send a long enough
> skb?  That seems like an error condition....

The intent was that it is a NOP, since err would have a value of zero,
but I see your point, that if that flag is present, the struct member
should be too.  My original intent was that if the structure member
wasn't present, it would default to zero, unintentionally setting the
wait time to zero.  It was part of my paranoia in the absence of an API
version indicator.  No harm done, but I agree it should return an error.

Thanks for the catch.

> > +			if (s.backlog_wait_time < 0 ||
> > +			    s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME)
> > +				return -EINVAL;

I assume values less than zero or larger than 10 times the current
default of one minute are errors or unreasonable.

Any argument for more than 10 minutes?


- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer
Kernel Security
AMER ENG Base Operating Systems
Remote, Ottawa, Canada
Voice: +1.647.777.2635
Internal: (81) 32635
Alt: +1.613.693.0684x3545

next prev parent reply	other threads:[~2013-09-18 20:49 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20130917152842.51158606ed46ec67b97b4448@linux-foundation.org>
2013-09-18 19:06 ` [PATCH 0/8] Audit backlog queue fixes related to soft lockup Richard Guy Briggs
2013-09-18 19:06   ` [PATCH 1/8] audit: avoid soft lockup due to audit_log_start() incorrect loop termination Richard Guy Briggs
2013-09-18 19:06   ` [PATCH 2/8] audit: reset audit backlog wait time after error recovery Richard Guy Briggs
2013-09-18 19:06   ` [PATCH 3/8] audit: make use of remaining sleep time from wait_for_auditd Richard Guy Briggs
2013-09-18 19:06   ` [PATCH 4/8] audit: efficiency fix 1: only wake up if queue shorter than backlog limit Richard Guy Briggs
2013-09-18 19:06   ` [PATCH 5/8] audit: efficiency fix 2: request exclusive wait since all need same resource Richard Guy Briggs
2013-09-18 19:06   ` [PATCH 6/8] audit: add boot option to override default backlog limit Richard Guy Briggs
2013-09-18 19:06   ` [PATCH 7/8] audit: clean up AUDIT_GET/SET local variables and future-proof API Richard Guy Briggs
2013-09-19 21:18     ` Steve Grubb
2013-09-20 14:47       ` Eric Paris
2013-09-23 16:38         ` Richard Guy Briggs
2013-09-18 19:06   ` [PATCH 8/8] audit: add audit_backlog_wait_time configuration option Richard Guy Briggs
2013-09-18 20:33     ` Eric Paris
2013-09-18 20:49       ` Richard Guy Briggs [this message]
2013-09-18 20:54         ` Eric Paris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130918204949.GI13968@madcap2.tricolour.ca \
    --to=rgb@redhat.com \
    --cc=akpm@linux-foundation.org \
    --cc=chuck.anderson@oracle.com \
    --cc=dan.duval@oracle.com \
    --cc=eparis@redhat.com \
    --cc=khlebnikov@openvz.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oleg@redhat.com \
    --cc=sgrubb@redhat.com \
    --cc=streeter@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox