From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <pmoore@redhat.com>
Subject: Re: [PATCH 1/2] audit: don't lose set wait time on first successful
	call to audit_log_start()
Date: Thu, 29 Jan 2015 18:11:26 -0500
Message-ID: <2098336.04HiSDC4cU@sifl>
References: <2192ffc51189b5caa7d7172d59fea6fcc8bf07a5.1422392773.git.rgb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2192ffc51189b5caa7d7172d59fea6fcc8bf07a5.1422392773.git.rgb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, eparis@parisplace.org
List-Id: linux-audit@redhat.com

On Tuesday, January 27, 2015 07:34:01 PM Richard Guy Briggs wrote:
> Copy the set wait time to a working value to avoid losing the set value if
> the queue overflows.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit.c |    7 ++++---
>  1 files changed, 4 insertions(+), 3 deletions(-)

Just so I'm understanding this patch correctly, you create a the new 
audit_backlog_wait_time_master because the existing audit_backlog_wait_time 
can be overwritten by the code in audit_log_start() when the audit record 
backlog overflows (it is set to audit_backlog_wait_overflow), yes?

Further, if the queue overflows the audit_backlog_wait_time will remain set to 
audit_backlog_wait_overflow until the queue is drained, yes?  Is that what we 
want?

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 53bb39b..b333f03 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -107,6 +107,7 @@ static u32	audit_rate_limit;
>   * When set to zero, this means unlimited. */
>  static u32	audit_backlog_limit = 64;
>  #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
> +static u32	audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME;
>  static u32	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
>  static u32	audit_backlog_wait_overflow = 0;
> 
> @@ -338,7 +339,7 @@ static int audit_set_backlog_limit(u32 limit)
>  static int audit_set_backlog_wait_time(u32 timeout)
>  {
>  	return audit_do_config_change("audit_backlog_wait_time",
> -				      &audit_backlog_wait_time, timeout);
> +				      &audit_backlog_wait_time_master, timeout);
>  }
> 
>  static int audit_set_enabled(u32 state)
> @@ -843,7 +844,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct
> nlmsghdr *nlh) s.lost			= atomic_read(&audit_lost);
>  		s.backlog		= skb_queue_len(&audit_skb_queue);
>  		s.version		= AUDIT_VERSION_LATEST;
> -		s.backlog_wait_time	= audit_backlog_wait_time;
> +		s.backlog_wait_time	= audit_backlog_wait_time_master;
>  		audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
>  		break;
>  	}
> @@ -1394,7 +1395,7 @@ struct audit_buffer *audit_log_start(struct
> audit_context *ctx, gfp_t gfp_mask, return NULL;
>  	}
> 
> -	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
> +	audit_backlog_wait_time = audit_backlog_wait_time_master;
> 
>  	ab = audit_buffer_alloc(ctx, gfp_mask, type);
>  	if (!ab) {

-- 
paul moore
security @ redhat