From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [ARCHIVE DEBUG 03/13] audit_debug: proc instrumentation
Date: Thu, 22 Oct 2015 15:23:27 -0400 [thread overview]
Message-ID: <5833313.p0DdKMxStc@x2> (raw)
In-Reply-To: <a7b545c7cb12dda1c637f0dbde0ffb290a53d2e1.1445536765.git.rgb@redhat.com>
What is the permissions on this? Who can view it?
-Steve
On Thursday, October 22, 2015 02:58:49 PM Richard Guy Briggs wrote:
> Add a /proc/audit entry for debugging to instrument many audit subsystem
> internal parameters not normally visible.
>
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> include/linux/skbuff.h | 16 ++++++++++++++++
> kernel/audit.c | 48
> ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64
> insertions(+), 0 deletions(-)
>
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index f54d665..bcde922 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -180,6 +180,7 @@ struct sk_buff_head {
>
> __u32 qlen;
> spinlock_t lock;
> + __u32 qlen_max;
> };
>
> struct sk_buff;
> @@ -1301,6 +1302,11 @@ static inline __u32 skb_queue_len(const struct
> sk_buff_head *list_) return list_->qlen;
> }
>
> +static inline __u32 skb_queue_len_max(const struct sk_buff_head *list_)
> +{
> + return list_->qlen_max;
> +}
> +
> /**
> * __skb_queue_head_init - initialize non-spinlock portions of sk_buff_head
> * @list: queue to initialize
> @@ -1354,6 +1360,8 @@ static inline void __skb_insert(struct sk_buff *newsk,
> newsk->prev = prev;
> next->prev = prev->next = newsk;
> list->qlen++;
> + if(list->qlen > list->qlen_max)
> + list->qlen_max = list->qlen;
> }
>
> static inline void __skb_queue_splice(const struct sk_buff_head *list,
> @@ -1381,6 +1389,8 @@ static inline void skb_queue_splice(const struct
> sk_buff_head *list, if (!skb_queue_empty(list)) {
> __skb_queue_splice(list, (struct sk_buff *) head, head->next);
> head->qlen += list->qlen;
> + if(head->qlen > head->qlen_max)
> + head->qlen_max = head->qlen;
> }
> }
>
> @@ -1397,6 +1407,8 @@ static inline void skb_queue_splice_init(struct
> sk_buff_head *list, if (!skb_queue_empty(list)) {
> __skb_queue_splice(list, (struct sk_buff *) head, head->next);
> head->qlen += list->qlen;
> + if(head->qlen > head->qlen_max)
> + head->qlen_max = head->qlen;
> __skb_queue_head_init(list);
> }
> }
> @@ -1412,6 +1424,8 @@ static inline void skb_queue_splice_tail(const struct
> sk_buff_head *list, if (!skb_queue_empty(list)) {
> __skb_queue_splice(list, head->prev, (struct sk_buff *) head);
> head->qlen += list->qlen;
> + if(head->qlen > head->qlen_max)
> + head->qlen_max = head->qlen;
> }
> }
>
> @@ -1429,6 +1443,8 @@ static inline void skb_queue_splice_tail_init(struct
> sk_buff_head *list, if (!skb_queue_empty(list)) {
> __skb_queue_splice(list, head->prev, (struct sk_buff *) head);
> head->qlen += list->qlen;
> + if(head->qlen > head->qlen_max)
> + head->qlen_max = head->qlen;
> __skb_queue_head_init(list);
> }
> }
> diff --git a/kernel/audit.c b/kernel/audit.c
> index d4e19fc..82df9fd 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -124,6 +124,7 @@ u32 audit_sig_sid = 0;
> 4) suppressed due to audit_backlog_limit
> */
> static atomic_t audit_lost = ATOMIC_INIT(0);
> +static atomic_t audit_hold_lost = ATOMIC_INIT(0);
>
> /* The netlink socket. */
> static struct sock *audit_sock;
> @@ -381,7 +382,10 @@ static void audit_hold_skb(struct sk_buff *skb)
> skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit))
> skb_queue_tail(&audit_skb_hold_queue, skb);
> else
> + {
> kfree_skb(skb);
> + atomic_inc(&audit_hold_lost);
> + }
> }
>
> /*
> @@ -510,7 +514,10 @@ static void flush_hold_queue(void)
> * dequeued an skb we need to drop ref
> */
> if (skb)
> + {
> consume_skb(skb);
> + atomic_inc(&audit_hold_lost);
> + }
> }
>
> static int kauditd_thread(void *dummy)
> @@ -1174,6 +1181,45 @@ static struct pernet_operations audit_net_ops
> __net_initdata = { .size = sizeof(struct audit_net),
> };
>
> +/* Display information about audit subsystem */
> +static int proc_auditstats_show(struct seq_file *m, void *v)
> +{
> + //seq_printf(m, "audit_initialized\t%d\n", audit_initialized);
> + //seq_printf(m, "audit_enabled\t%u\n", audit_enabled);
> + //seq_printf(m, "audit_ever_enabled\t%u\n", audit_ever_enabled);
> + //seq_printf(m, "audit_default\t%u\n", audit_default);
> + //seq_printf(m, "audit_failure\t%u\n", audit_failure);
> + seq_printf(m, "audit_pid\t\t\t%d\n", audit_pid);
> + //seq_printf(m, "audit_nlk_portid\t%u\n", audit_nlk_portid);
> + //seq_printf(m, "audit_rate_limit\t%u\n", audit_rate_limit);
> + //seq_printf(m, "audit_backlog_limit\t%u\n", audit_backlog_limit);
> + //seq_printf(m, "audit_backlog_wait_time\t%u\n", audit_backlog_wait_time);
> + //seq_printf(m, "audit_sig_uid\t%u\n", from_kuid(&init_user_ns,
> audit_sig_uid)); + //seq_printf(m, "audit_sig_pid\t%d\n", audit_sig_pid);
> + //seq_printf(m, "audit_sig_sid\t%u\n", audit_sig_sid);
> + seq_printf(m, "audit_lost\t\t\t%d\n", atomic_read(&audit_lost));
> + seq_printf(m, "audit_hold_lost\t\t\t%d\n", atomic_read(&audit_hold_lost));
> + seq_printf(m, "audit_freelist_count\t\t%u\n", audit_freelist_count);
> + seq_printf(m, "audit_skb_queue len\t\t%d\n",
> skb_queue_len(&audit_skb_queue)); + seq_printf(m, "audit_skb_queue
> len_max\t\t%d\n", skb_queue_len_max(&audit_skb_queue)); + seq_printf(m,
> "audit_skb_hold_queue len\t%d\n", skb_queue_len(&audit_skb_hold_queue));
> + seq_printf(m, "audit_skb_hold_queue len_max\t%d\n",
> skb_queue_len_max(&audit_skb_hold_queue)); +
> + return 0;
> +}
> +
> +static int auditstats_open(struct inode *inode, struct file *file)
> +{
> + return single_open(file, proc_auditstats_show, NULL);
> +}
> +
> +static const struct file_operations proc_auditstats_operations = {
> + .open = auditstats_open,
> + .read = seq_read,
> + .llseek = seq_lseek,
> + .release = single_release,
> +};
> +
> /* Initialize audit support at boot time. */
> static int __init audit_init(void)
> {
> @@ -1197,6 +1243,8 @@ static int __init audit_init(void)
> for (i = 0; i < AUDIT_INODE_BUCKETS; i++)
> INIT_LIST_HEAD(&audit_inode_hash[i]);
>
> + proc_create("audit", 0, NULL, &proc_auditstats_operations);
> +
> return 0;
> }
> __initcall(audit_init);
next prev parent reply other threads:[~2015-10-22 19:23 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-22 18:58 [ARCHIVE DEBUG 00/13] audit_debug: diagnostics for audit internal workings Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 01/13] audit_debug: set reserve to same size as backlog Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 02/13] audit_debug: squawk when digging into reserve Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 03/13] audit_debug: proc instrumentation Richard Guy Briggs
2015-10-22 19:23 ` Steve Grubb [this message]
2015-10-22 19:47 ` Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 04/13] audit_debug: add /proc counters for overflows, waiters, recovers, reserves Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 05/13] audit_debug: proc debug output easier to paste Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 06/13] audit_debug: don't let systemd change config Richard Guy Briggs
2015-10-22 19:18 ` Steve Grubb
2015-10-22 19:28 ` Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 07/13] audit_debug: instrument audit_cmd_mutex contention Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 08/13] audit_debug: seperate out audit_titles in proc display Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 09/13] netlink_debug: instrument timing of calls by init/systemd or audit_pid Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 10/13] audit_debug: bark on impossible reserve process conditions in while loop Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 11/13] audit_debug: instrument audit_receive timing Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 12/13] audit_debug: list processes and frequencies waiting for auditd Richard Guy Briggs
2015-10-22 18:58 ` [ARCHIVE DEBUG 13/13] audit_debug: print inode nr for each path when listing exe rules Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5833313.p0DdKMxStc@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).