audit_log_drain

Chris Wright chrisw at osdl.org
Thu Apr 7 00:33:06 UTC 2005 

* Steve Grubb (sgrubb at redhat.com) wrote:
> On Wednesday 06 April 2005 12:41, Chris Wright wrote:
> > So, I agree, there's room for improvement.
> 
> I have applied the following patch and ran Kris's test program. Didn't lose 
> any netlink packets and didn't need to raise the backlog limit from 64. I 
> bumped her test up to 100,000 loops. The audit daemon rotated logfiles and 
> did not drop a single packet.

What is Kris's test program?  I was simply using something like:

while :
do
    < /dev/null
done

With an audit rule to match that open.  This causes congestion
immediately.

> I decided to leave 3 openings in the backlog in hopes of allowing something
> to be enqueued that may trigger audit_log_drain.

It shouldn't matter.  The act of dropping should re-schedule a drain.
I'd rather not see magic numbers (esp. if they are somewhat arbitrary).

For my test, it at least always waits until the backlog to give a
too full/busy message.  My experience has been that once congested
there's little to no recovery that will happen, so in that sense the
change borders a bit on academic.  I never tested with an audit buffer
with long skb list.  But, given all that I don't see the value of the
old code.  This differs from yours only in that I drop the 3, and change
to requeueing at the head.  Does it still work for you?

thanks,
-chris
--

===== kernel/audit.c 1.11 vs edited =====
--- 1.11/kernel/audit.c	2005-03-11 12:32:31 -08:00
+++ edited/kernel/audit.c	2005-04-06 15:28:52 -07:00
@@ -142,7 +142,6 @@ struct audit_buffer {
 	int		     total;
 	int		     type;
 	int		     pid;
-	int		     count; /* Times requeued */
 };
 
 void audit_set_type(struct audit_buffer *ab, int type)
@@ -522,9 +531,9 @@ static inline int audit_log_drain(struct
 			retval = netlink_unicast(audit_sock, skb, audit_pid,
 						 MSG_DONTWAIT);
 		}
-		if (retval == -EAGAIN && ab->count < 5) {
-			++ab->count;
-			skb_queue_tail(&ab->sklist, skb);
+		if (retval == -EAGAIN &&
+		    (atomic_read(&audit_backlog)) < audit_backlog_limit) {
+			skb_queue_head(&ab->sklist, skb);
 			audit_log_end_irq(ab);
 			return 1;
 		}
@@ -662,7 +676,6 @@ struct audit_buffer *audit_log_start(str
 	ab->total = 0;
 	ab->type  = AUDIT_KERNEL;
 	ab->pid   = 0;
-	ab->count = 0;
 
 #ifdef CONFIG_AUDITSYSCALL
 	if (ab->ctx)

More information about the Linux-audit mailing list