audit_log_drain

Wed Apr 6 20:10:44 UTC 2005

On Wednesday 06 April 2005 12:41, Chris Wright wrote:
> So, I agree, there's room for improvement.

I have applied the following patch and ran Kris's test program. Didn't lose 
any netlink packets and didn't need to raise the backlog limit from 64. I 
bumped her test up to 100,000 loops. The audit daemon rotated logfiles and 
did not drop a single packet.

I decided to leave 3 openings in the backlog in hopes of allowing something to 
be enqueued that may trigger audit_log_drain.

Signed-Off-By: Steve Grubb<sgrubb at redhat.com>


diff -ur linux-2.6.9.orig/kernel/audit.c linux-2.6.9/kernel/audit.c

--- linux-2.6.9.orig/kernel/audit.c     2005-04-06 12:27:28.000000000 -0400
+++ linux-2.6.9/kernel/audit.c  2005-04-06 12:30:21.000000000 -0400
@@ -143,7 +143,6 @@
        int                  total;
        int                  type;
        int                  pid;
-       int                  count; /* Times requeued */
 };

 void audit_set_type(struct audit_buffer *ab, int type)
@@ -534,8 +533,8 @@
                        retval = netlink_unicast(audit_sock, skb, audit_pid,
                                                 MSG_DONTWAIT);
                }
-               if (retval == -EAGAIN && ab->count < 5) {
-                       ++ab->count;
+               if (retval == -EAGAIN &&
+                       (atomic_read(&audit_backlog)+3) < audit_backlog_limit) 
{                        skb_queue_tail(&ab->sklist, skb);
                        audit_log_end_irq(ab);
                        return 1;
@@ -675,7 +674,6 @@
        ab->total = 0;
        ab->type  = AUDIT_KERNEL;
        ab->pid   = 0;
-       ab->count = 0;

 #ifdef CONFIG_AUDITSYSCALL
        if (ab->ctx)


