check_ack()
Lucas C. Villa Real
lucasvr at gobolinux.org
Fri Nov 21 06:30:53 UTC 2008
Hi, guys!
I have a question regarding the use of check_ack() in audit_send().
Every message sent from auditd to the kernel through audit_send() is
flagged with NLM_F_ACK. That flag tells the kernel to reply with an
ACK, which will then be expected to be read by check_ack(), right
after audit_send's call to sendto().
check_ack() just attempts to read nonblocking and, if it succeeds
doing so, it's guaranteed that the kernel received our message.
However, since netlink is a connectionless socket, once cannot infer
that the lack of an ACK means that the kernel didn't receive that
message. Similarly, in a very stressed system, one can just get
-ENOBUFS when attempting to get a reply, even though sendto()
succeeded sending the original message.
So, at least in a scenario where Audit is a key component and
performance matters, wouldn't it make sense to just remove NLM_F_ACK
from outgoing messages and just let audit_send() use the return value
from sendto() to tell if the message has been sent instead?
I'm planning to test this change in a pretty I/O intensive server over
the next week, but I'd really like to hear your comments on this
before I proceed.
Thank you very much!
Lucas
More information about the Linux-audit
mailing list