[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]


Hi, guys!

I have a question regarding the use of check_ack() in audit_send().

Every message sent from auditd to the kernel through audit_send() is
flagged with NLM_F_ACK. That flag tells the kernel to reply with an
ACK, which will then be expected to be read by check_ack(), right
after audit_send's call to sendto().

check_ack() just attempts to read nonblocking and, if it succeeds
doing so, it's guaranteed that the kernel received our message.

However, since netlink is a connectionless socket, once cannot infer
that the lack of an ACK means that the kernel didn't receive that
message. Similarly, in a very stressed system, one can just get
-ENOBUFS when attempting to get a reply, even though sendto()
succeeded sending the original message.

So, at least in a scenario where Audit is a key component and
performance matters, wouldn't it make sense to just remove NLM_F_ACK
from outgoing messages and just let audit_send() use the return value
from sendto() to tell if the message has been sent instead?

I'm planning to test this change in a pretty I/O intensive server over
the next week, but I'd really like to hear your comments on this
before I proceed.

Thank you very much!

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]