From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <pmoore@redhat.com>
Subject: Re: [PATCH 2/2] audit: don't reset working wait time accidentally
	with auditd
Date: Thu, 29 Jan 2015 18:16:08 -0500
Message-ID: <4410568.1yJqvi4AlT@sifl>
References: <2192ffc51189b5caa7d7172d59fea6fcc8bf07a5.1422392773.git.rgb@redhat.com>
	<075a355dd6d63a0330ffc5ef5a3480132540827b.1422392773.git.rgb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <075a355dd6d63a0330ffc5ef5a3480132540827b.1422392773.git.rgb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, eparis@parisplace.org
List-Id: linux-audit@redhat.com

On Tuesday, January 27, 2015 07:34:02 PM Richard Guy Briggs wrote:
> During a queue overflow condition while we are waiting for auditd to drain
> the queue to make room for regular messages, we don't want a successful
> auditd that has bypassed the queue check to reset the backlog wait time.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)

I'm still wondering why we ever change audit_backlog_wait_time, it is only so 
we don't end up calling wait_for_auditd() multiple times while we are waiting 
for the queue to drain?

As a general comment, not directed at anyone in particular, the audit 
backlog/queue handling looks a little odd ...

> diff --git a/kernel/audit.c b/kernel/audit.c
> index b333f03..73293ea 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1395,7 +1395,8 @@ struct audit_buffer *audit_log_start(struct
> audit_context *ctx, gfp_t gfp_mask, return NULL;
>  	}
> 
> -	audit_backlog_wait_time = audit_backlog_wait_time_master;
> +	if (!reserve)
> +		audit_backlog_wait_time = audit_backlog_wait_time_master;
> 
>  	ab = audit_buffer_alloc(ctx, gfp_mask, type);
>  	if (!ab) {

-- 
paul moore
security @ redhat