[PATCH] audit: improve robustness of the audit queue handling
Richard Guy Briggs
rgb at redhat.com
Wed Dec 15 17:53:29 UTC 2021
On 2021-12-13 13:31, Paul Moore wrote:
> If the audit daemon were ever to get stuck in a stopped state the
> kernel's kauditd_thread() could get blocked attempting to send audit
> records to the userspace audit daemon. With the kernel thread
> blocked it is possible that the audit queue could grow unbounded as
> certain audit record generating events must be exempt from the queue
> limits else the system enter a deadlock state.
>
> This patch resolves this problem by lowering the kernel thread's
> socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks
> the kauditd_send_queue() function to better manage the various audit
> queues when connection problems occur between the kernel and the
> audit daemon. With this patch, the backlog may temporarily grow
> beyond the defined limits when the audit daemon is stopped and the
> system is under heavy audit pressure, but kauditd_thread() will
> continue to make progress and drain the queues as it would for other
> connection problems. For example, with the audit daemon put into a
> stopped state and the system configured to audit every syscall it
> was still possible to shutdown the system without a kernel panic,
> deadlock, etc.; granted, the system was slow to shutdown but that is
> to be expected given the extreme pressure of recording every syscall.
I assume that in the configuration state of f=2, it would still panic if
it was not able to deliver messages.
This seems like a reasonable approach, FWIW: Reviewed-by
> The timeout value of HZ/10 was chosen primarily through
> experimentation and this developer's "gut feeling". There is likely
> no one perfect value, but as this scenario is limited in scope (root
> privileges would be needed to send SIGSTOP to the audit daemon), it
> is likely not worth exposing this as a tunable at present. This can
> always be done at a later date if it proves necessary.
>
> Cc: stable at vger.kernel.org
> Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking")
> Reported-by: Gaosheng Cui <cuigaosheng1 at huawei.com>
> Signed-off-by: Paul Moore <paul at paul-moore.com>
> ---
> kernel/audit.c | 21 ++++++++++-----------
> 1 file changed, 10 insertions(+), 11 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 121d37e700a6..4cebadb5f30d 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -718,7 +718,7 @@ static int kauditd_send_queue(struct sock *sk, u32 portid,
> {
> int rc = 0;
> struct sk_buff *skb;
> - static unsigned int failed = 0;
> + unsigned int failed = 0;
>
> /* NOTE: kauditd_thread takes care of all our locking, we just use
> * the netlink info passed to us (e.g. sk and portid) */
> @@ -735,32 +735,30 @@ static int kauditd_send_queue(struct sock *sk, u32 portid,
> continue;
> }
>
> +retry:
> /* grab an extra skb reference in case of error */
> skb_get(skb);
> rc = netlink_unicast(sk, skb, portid, 0);
> if (rc < 0) {
> - /* fatal failure for our queue flush attempt? */
> + /* send failed - try a few times unless fatal error */
> if (++failed >= retry_limit ||
> rc == -ECONNREFUSED || rc == -EPERM) {
> - /* yes - error processing for the queue */
> sk = NULL;
> if (err_hook)
> (*err_hook)(skb);
> - if (!skb_hook)
> - goto out;
> - /* keep processing with the skb_hook */
> + if (rc == -EAGAIN)
> + rc = 0;
> + /* continue to drain the queue */
> continue;
> } else
> - /* no - requeue to preserve ordering */
> - skb_queue_head(queue, skb);
> + goto retry;
> } else {
> - /* it worked - drop the extra reference and continue */
> + /* skb sent - drop the extra reference and continue */
> consume_skb(skb);
> failed = 0;
> }
> }
>
> -out:
> return (rc >= 0 ? 0 : rc);
> }
>
> @@ -1609,7 +1607,8 @@ static int __net_init audit_net_init(struct net *net)
> audit_panic("cannot initialize netlink socket in namespace");
> return -ENOMEM;
> }
> - aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
> + /* limit the timeout in case auditd is blocked/stopped */
> + aunet->sk->sk_sndtimeo = HZ / 10;
>
> return 0;
> }
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
>
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list