From: Eric Paris <eparis@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
Steve Grubb <sgrubb@redhat.com>,
Konstantin Khlebnikov <khlebnikov@openvz.org>,
Andrew Morton <akpm@linux-foundation.org>,
Dan Duval <dan.duval@oracle.com>,
Chuck Anderson <chuck.anderson@oracle.com>,
Guy Streeter <streeter@redhat.com>,
Oleg Nesterov <oleg@redhat.com>
Subject: Re: [PATCH 8/8] audit: add audit_backlog_wait_time configuration option
Date: Wed, 18 Sep 2013 16:54:02 -0400 [thread overview]
Message-ID: <1379537642.3032.62.camel@localhost> (raw)
In-Reply-To: <20130918204949.GI13968@madcap2.tricolour.ca>
On Wed, 2013-09-18 at 16:49 -0400, Richard Guy Briggs wrote:
> On Wed, Sep 18, 2013 at 04:33:25PM -0400, Eric Paris wrote:
> > On Wed, 2013-09-18 at 15:06 -0400, Richard Guy Briggs wrote:
> > > reaahead-collector abuses the audit logging facility to discover which files
> > > are accessed at boot time to make a pre-load list
> > >
> > > Add a tuning option to audit_backlog_wait_time so that if auditd can't keep up,
> > > or gets blocked, the callers won't be blocked.
>
> > > diff --git a/kernel/audit.c b/kernel/audit.c
> > > index 3d17670..fc535b6 100644
> > > --- a/kernel/audit.c
> > > +++ b/kernel/audit.c
> > > @@ -701,8 +708,21 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > > if (err < 0)
> > > return err;
> > > }
> > > - if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT)
> > > + if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) {
> > > err = audit_set_backlog_limit(s.backlog_limit);
> > > + if (err < 0)
> > > + return err;
> > > + }
> > > + if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) {
> > > + if (sizeof(s) > (size_t)nlh->nlmsg_len)
> > > + break;
> >
> > What gets returned here? I think err has a value of 0, but it doesn't
> > seem to have been clearly intentional. If they know about the
> > AUDIT_STATUS_BACKLOG_WAIT_TIME flag, but they didn't send a long enough
> > skb? That seems like an error condition....
>
> The intent was that it is a NOP, since err would have a value of zero,
> but I see your point, that if that flag is present, the struct member
> should be too. My original intent was that if the structure member
> wasn't present, it would default to zero, unintentionally setting the
> wait time to zero. It was part of my paranoia in the absence of an API
> version indicator. No harm done, but I agree it should return an error.
>
> Thanks for the catch.
>
> > > + if (s.backlog_wait_time < 0 ||
> > > + s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME)
> > > + return -EINVAL;
>
> I assume values less than zero or larger than 10 times the current
> default of one minute are errors or unreasonable.
>
> Any argument for more than 10 minutes?
10 Minutes already seems nuts. If someone has a reason to go higher, we
can change this sanity check then.
-Eric
prev parent reply other threads:[~2013-09-18 20:54 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-28 22:21 [RFC] audit: avoid soft lockup in audit_log_start() Luiz Capitulino
2013-08-28 22:33 ` Andrew Morton
2013-08-28 22:54 ` Luiz Capitulino
2013-08-28 23:08 ` Andrew Morton
2013-08-29 0:49 ` Luiz Capitulino
2013-08-30 18:23 ` Luiz Capitulino
2013-09-09 14:32 ` Konstantin Khlebnikov
2013-09-09 14:54 ` Luiz Capitulino
2013-09-09 15:19 ` Konstantin Khlebnikov
2013-09-09 15:29 ` Luiz Capitulino
2013-09-09 15:42 ` Konstantin Khlebnikov
2013-09-10 16:03 ` Eric Paris
2013-09-10 17:45 ` Luiz Capitulino
2013-09-17 22:28 ` Andrew Morton
2013-09-17 22:54 ` Luiz Capitulino
2013-09-18 1:57 ` Richard Guy Briggs
2013-09-18 9:48 ` [PATCH] audit: fix endless wait " Konstantin Khlebnikov
2013-09-18 13:31 ` Richard Guy Briggs
2013-09-18 19:06 ` [PATCH 0/8] Audit backlog queue fixes related to soft lockup Richard Guy Briggs
2013-09-18 19:06 ` [PATCH 1/8] audit: avoid soft lockup due to audit_log_start() incorrect loop termination Richard Guy Briggs
2013-09-18 19:06 ` [PATCH 2/8] audit: reset audit backlog wait time after error recovery Richard Guy Briggs
2013-09-18 19:06 ` [PATCH 3/8] audit: make use of remaining sleep time from wait_for_auditd Richard Guy Briggs
2013-09-18 19:06 ` [PATCH 4/8] audit: efficiency fix 1: only wake up if queue shorter than backlog limit Richard Guy Briggs
2013-09-18 19:06 ` [PATCH 5/8] audit: efficiency fix 2: request exclusive wait since all need same resource Richard Guy Briggs
2013-09-18 19:06 ` [PATCH 6/8] audit: add boot option to override default backlog limit Richard Guy Briggs
2013-09-18 19:06 ` [PATCH 7/8] audit: clean up AUDIT_GET/SET local variables and future-proof API Richard Guy Briggs
2013-09-19 21:18 ` Steve Grubb
2013-09-20 14:47 ` Eric Paris
2013-09-23 16:38 ` Richard Guy Briggs
2013-09-18 19:06 ` [PATCH 8/8] audit: add audit_backlog_wait_time configuration option Richard Guy Briggs
2013-09-18 20:33 ` Eric Paris
2013-09-18 20:49 ` Richard Guy Briggs
2013-09-18 20:54 ` Eric Paris [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1379537642.3032.62.camel@localhost \
--to=eparis@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=chuck.anderson@oracle.com \
--cc=dan.duval@oracle.com \
--cc=khlebnikov@openvz.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
--cc=streeter@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox