From: Richard Guy Briggs <rgb@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: linux-audit@redhat.com, eparis@parisplace.org
Subject: Re: [PATCH 2/2] audit: don't reset working wait time accidentally with auditd
Date: Fri, 30 Jan 2015 16:10:44 -0500 [thread overview]
Message-ID: <20150130211044.GY18752@madcap2.tricolour.ca> (raw)
In-Reply-To: <4410568.1yJqvi4AlT@sifl>
On 15/01/29, Paul Moore wrote:
> On Tuesday, January 27, 2015 07:34:02 PM Richard Guy Briggs wrote:
> > During a queue overflow condition while we are waiting for auditd to drain
> > the queue to make room for regular messages, we don't want a successful
> > auditd that has bypassed the queue check to reset the backlog wait time.
> >
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> > kernel/audit.c | 3 ++-
> > 1 files changed, 2 insertions(+), 1 deletions(-)
>
> I'm still wondering why we ever change audit_backlog_wait_time, it is only so
> we don't end up calling wait_for_auditd() multiple times while we are waiting
> for the queue to drain?
Not exactly. Up to the timeout, all subsequent callers will wait for
auditd as well. It is so that if wait_for_auditd() does time out, we
don't make new callers after that timeout wait, but return an error
immediately. If/when auditd does manage to succeed and recover after
that wait time, it will reset the wait time and resume normal operation.
> As a general comment, not directed at anyone in particular, the audit
> backlog/queue handling looks a little odd ...
Indeed...
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index b333f03..73293ea 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1395,7 +1395,8 @@ struct audit_buffer *audit_log_start(struct
> > audit_context *ctx, gfp_t gfp_mask, return NULL;
> > }
> >
> > - audit_backlog_wait_time = audit_backlog_wait_time_master;
> > + if (!reserve)
> > + audit_backlog_wait_time = audit_backlog_wait_time_master;
> >
> > ab = audit_buffer_alloc(ctx, gfp_mask, type);
> > if (!ab) {
>
> --
> paul moore
- RGB
--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
next prev parent reply other threads:[~2015-01-30 21:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-28 0:34 [PATCH 1/2] audit: don't lose set wait time on first successful call to audit_log_start() Richard Guy Briggs
2015-01-28 0:34 ` [PATCH 2/2] audit: don't reset working wait time accidentally with auditd Richard Guy Briggs
2015-01-29 23:16 ` Paul Moore
2015-01-30 21:10 ` Richard Guy Briggs [this message]
2015-02-02 21:16 ` Paul Moore
2015-01-29 23:11 ` [PATCH 1/2] audit: don't lose set wait time on first successful call to audit_log_start() Paul Moore
2015-01-30 21:03 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150130211044.GY18752@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=eparis@parisplace.org \
--cc=linux-audit@redhat.com \
--cc=pmoore@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox