audit_log_drain
Steve Grubb
sgrubb at redhat.com
Wed Apr 6 16:12:23 UTC 2005
On Wednesday 06 April 2005 12:00, Steve Grubb wrote:
> The fact is that as long as we have space in the backlog, we don't have to
> lose a packet do we?
Specifically, I'm talking about this:
522 if (retval == -EAGAIN && ab->count < 5) {
523 ++ab->count;
524 skb_queue_tail(&ab->sklist, skb);
525 audit_log_end_irq(ab);
526 return 1;
527 }
ab->count < 5 sounds arbitrary. I'd rather see it:
if (retval == -EAGAIN && audit_backlog < (audit_backlog_limit-1))
Does this make more sense? The idea is to try to leave room for 1 more packet
that could trigger the audit_log_drain.
-Steve
More information about the Linux-audit
mailing list