[RFC PATCH 3/7] audit: allow systemd to use queue reserves

[Richard Guy Briggs]

On 15/10/22, Steve Grubb wrote:
> On Thursday, October 22, 2015 02:53:16 PM Richard Guy Briggs wrote:
> > Treat systemd the same way as auditd, allowing it to overrun the queue to
> > avoid blocking.
> 
> Do you mind explaining this a little more? I'm having a hard time 
> understanding how systemd is involved.

systemd should only have CAP_AUDIT_READ for the multicast socket and
otherwise behaves as a user client, sending AUDIT_USER_* messages.  It
starts and stops auditd and we don't want it blocking trying to allocate
a buffer on the standard queue in audit_log_start() while it is tasked
with telling auditd to start or stop.

> -Steve
> 
> > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > ---
> >  kernel/audit.c |    2 +-
> >  1 files changed, 1 insertions(+), 1 deletions(-)
> > 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 3917aad..384a1a1 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1375,7 +1375,7 @@ struct audit_buffer *audit_log_start(struct
> > audit_context *ctx, gfp_t gfp_mask, return NULL;
> > 
> >  	if (gfp_mask & __GFP_WAIT) {
> > -		if (audit_pid && audit_pid == current->tgid)
> > +		if (current->tgid == 1 || (audit_pid && audit_pid == current->tgid))
> >  			gfp_mask &= ~__GFP_WAIT;
> >  		else
> >  			reserve = 0;

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545