Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Richard Guy Briggs <rgb@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [RFC PATCH 6/9] audit: rework audit_log_start()
Date: Thu, 24 Nov 2016 01:41:25 -0500	[thread overview]
Message-ID: <20161124064125.GC6897@madcap2.tricolour.ca> (raw)
In-Reply-To: <147995172323.18851.11955381649104136907.stgit@sifl>

On 2016-11-23 20:42, Paul Moore wrote:
> From: Paul Moore <paul@paul-moore.com>
> 
> The backlog queue handling in audit_log_start() is a little odd with
> some questionable design decisions, this patch attempts to rectify
> this with the following changes:
> 
> * Never make auditd wait, ignore any backlog limits as we need auditd
> awake so it can drain the backlog queue.
> 
> * When we hit a backlog limit and start dropping records, don't wake
> all the tasks sleeping on the backlog, that's silly.  Instead, let
> kauditd_thread() take care of waking everyone once it has had a chance
> to drain the backlog queue.
> 
> * Don't keep a global backlog timeout countdown, make it per-task.  A
> per-task timer means we won't have all the sleeping tasks waking at
> the same time and hammering on an already stressed backlog queue.
> 
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>  kernel/audit.c |   92 ++++++++++++++++++++++----------------------------------
>  1 file changed, 36 insertions(+), 56 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index f4056bc..e23ce6c 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -107,7 +107,6 @@ static u32	audit_rate_limit;
>   * When set to zero, this means unlimited. */
>  static u32	audit_backlog_limit = 64;
>  #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
> -static u32	audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME;
>  static u32	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
>  
>  /* The identity of the user shutting down the audit system. */
> @@ -345,7 +344,7 @@ static int audit_set_backlog_limit(u32 limit)
>  static int audit_set_backlog_wait_time(u32 timeout)
>  {
>  	return audit_do_config_change("audit_backlog_wait_time",
> -				      &audit_backlog_wait_time_master, timeout);
> +				      &audit_backlog_wait_time, timeout);
>  }
>  
>  static int audit_set_enabled(u32 state)
> @@ -973,7 +972,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>  		s.lost			= atomic_read(&audit_lost);
>  		s.backlog		= skb_queue_len(&audit_queue);
>  		s.feature_bitmap	= AUDIT_FEATURE_BITMAP_ALL;
> -		s.backlog_wait_time	= audit_backlog_wait_time_master;
> +		s.backlog_wait_time	= audit_backlog_wait_time;
>  		audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
>  		break;
>  	}
> @@ -1454,24 +1453,6 @@ static inline void audit_get_stamp(struct audit_context *ctx,
>  	}
>  }
>  
> -/*
> - * Wait for auditd to drain the queue a little
> - */
> -static long wait_for_auditd(long sleep_time)
> -{
> -	DECLARE_WAITQUEUE(wait, current);
> -
> -	if (audit_backlog_limit &&
> -	    skb_queue_len(&audit_queue) > audit_backlog_limit) {
> -		add_wait_queue_exclusive(&audit_backlog_wait, &wait);
> -		set_current_state(TASK_UNINTERRUPTIBLE);
> -		sleep_time = schedule_timeout(sleep_time);
> -		remove_wait_queue(&audit_backlog_wait, &wait);
> -	}
> -
> -	return sleep_time;
> -}
> -
>  /**
>   * audit_log_start - obtain an audit buffer
>   * @ctx: audit_context (may be NULL)
> @@ -1490,12 +1471,9 @@ static long wait_for_auditd(long sleep_time)
>  struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  				     int type)
>  {
> -	struct audit_buffer	*ab	= NULL;
> -	struct timespec		t;
> -	unsigned int		uninitialized_var(serial);
> -	int reserve = 5; /* Allow atomic callers to go up to five
> -			    entries over the normal backlog limit */
> -	unsigned long timeout_start = jiffies;
> +	struct audit_buffer *ab;
> +	struct timespec t;
> +	unsigned int uninitialized_var(serial);
>  
>  	if (audit_initialized != AUDIT_INITIALIZED)
>  		return NULL;
> @@ -1503,38 +1481,40 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  	if (unlikely(!audit_filter(type, AUDIT_FILTER_TYPE)))
>  		return NULL;
>  
> -	if (gfp_mask & __GFP_DIRECT_RECLAIM) {
> -		if (audit_pid && audit_pid == current->tgid)
> -			gfp_mask &= ~__GFP_DIRECT_RECLAIM;
> -		else
> -			reserve = 0;
> -	}
> -
> -	while (audit_backlog_limit
> -	       && skb_queue_len(&audit_queue) > audit_backlog_limit + reserve) {
> -		if (gfp_mask & __GFP_DIRECT_RECLAIM && audit_backlog_wait_time) {
> -			long sleep_time;
> -
> -			sleep_time = timeout_start + audit_backlog_wait_time - jiffies;
> -			if (sleep_time > 0) {
> -				sleep_time = wait_for_auditd(sleep_time);
> -				if (sleep_time > 0)
> -					continue;
> +	/* don't ever fail/sleep on auditd since we need auditd to drain the
> +	 * queue; also, when we are checking for auditd, compare PIDs using
> +	 * task_tgid_vnr() since auditd_pid is set in audit_receive_msg() using
> +	 * a PID anchored in the caller's namespace */
> +	if (!(audit_pid && audit_pid == task_tgid_vnr(current))) {

Could the change from task_tgid() [should be same as current->tgid] to
task_tgid_vnr() be pulled out into a seperate patch to make the
namespace behaviour change implicaiton much more clear?

> +		long sleep_time = audit_backlog_wait_time;
> +
> +		while (audit_backlog_limit &&
> +		       (skb_queue_len(&audit_queue) > audit_backlog_limit)) {
> +			/* wake kauditd to try and flush the queue */
> +			wake_up_interruptible(&kauditd_wait);
> +
> +			/* sleep if we are allowed and we haven't exhausted our
> +			 * backlog wait limit */
> +			if ((gfp_mask & __GFP_DIRECT_RECLAIM) &&
> +			    (sleep_time > 0)) {
> +				DECLARE_WAITQUEUE(wait, current);
> +
> +				add_wait_queue_exclusive(&audit_backlog_wait,
> +							 &wait);
> +				set_current_state(TASK_UNINTERRUPTIBLE);
> +				sleep_time = schedule_timeout(sleep_time);
> +				remove_wait_queue(&audit_backlog_wait, &wait);
> +			} else {
> +				if (audit_rate_check() && printk_ratelimit())
> +					pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n",
> +						skb_queue_len(&audit_queue),
> +						audit_backlog_limit);
> +				audit_log_lost("backlog limit exceeded");
> +				return NULL;
>  			}
>  		}
> -		if (audit_rate_check() && printk_ratelimit())
> -			pr_warn("audit_backlog=%d > audit_backlog_limit=%d\n",
> -				skb_queue_len(&audit_queue),
> -				audit_backlog_limit);
> -		audit_log_lost("backlog limit exceeded");
> -		audit_backlog_wait_time = 0;
> -		wake_up(&audit_backlog_wait);
> -		return NULL;
>  	}
>  
> -	if (!reserve && !audit_backlog_wait_time)
> -		audit_backlog_wait_time = audit_backlog_wait_time_master;
> -
>  	ab = audit_buffer_alloc(ctx, gfp_mask, type);
>  	if (!ab) {
>  		audit_log_lost("out of memory in audit_log_start");
> @@ -1542,9 +1522,9 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
>  	}
>  
>  	audit_get_stamp(ab->ctx, &t, &serial);
> -
>  	audit_log_format(ab, "audit(%lu.%03lu:%u): ",
>  			 t.tv_sec, t.tv_nsec/1000000, serial);
> +
>  	return ab;
>  }
>  
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

  reply	other threads:[~2016-11-24  6:41 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-24  1:41 [RFC PATCH 0/9] Move the audit netlink multicast send to the kauditd_thread Paul Moore
2016-11-24  1:41 ` [RFC PATCH 1/9] audit: move kaudit thread start from auditd registration to kaudit init (#2) Paul Moore
2016-11-24  1:41 ` [RFC PATCH 2/9] audit: fixup audit_init() Paul Moore
2016-11-24  1:41 ` [RFC PATCH 3/9] audit: queue netlink multicast sends just like we do for unicast sends Paul Moore
2016-11-24  1:41 ` [RFC PATCH 4/9] audit: rename the queues and kauditd related functions Paul Moore
2016-11-24  1:41 ` [RFC PATCH 5/9] audit: rework the audit queue handling Paul Moore
2016-11-24  6:35   ` Richard Guy Briggs
2016-11-25 16:33     ` Paul Moore
2016-11-24  1:42 ` [RFC PATCH 6/9] audit: rework audit_log_start() Paul Moore
2016-11-24  6:41   ` Richard Guy Briggs [this message]
2016-11-25 16:38     ` Paul Moore
2016-11-25 16:41       ` Richard Guy Briggs
2016-11-25 16:50         ` Paul Moore
2016-11-24  1:42 ` [RFC PATCH 7/9] audit: wake up kauditd_thread after auditd registers Paul Moore
2016-11-24  1:42 ` [RFC PATCH 8/9] audit: handle a clean auditd shutdown with grace Paul Moore
2016-11-24  1:42 ` [RFC PATCH 9/9] audit: don't ever sleep on a command record/message Paul Moore
2016-11-29 22:08 ` [RFC PATCH 0/9] Move the audit netlink multicast send to the kauditd_thread Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161124064125.GC6897@madcap2.tricolour.ca \
    --to=rgb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=pmoore@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox