[PATCH 1/2] audit: don't lose set wait time on first successful call to audit_log_start()

Thu Jan 29 23:11:26 UTC 2015

On Tuesday, January 27, 2015 07:34:01 PM Richard Guy Briggs wrote:
> Copy the set wait time to a working value to avoid losing the set value if
> the queue overflows.
> 
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
>  kernel/audit.c |    7 ++++---
>  1 files changed, 4 insertions(+), 3 deletions(-)

Just so I'm understanding this patch correctly, you create a the new 
audit_backlog_wait_time_master because the existing audit_backlog_wait_time 
can be overwritten by the code in audit_log_start() when the audit record 
backlog overflows (it is set to audit_backlog_wait_overflow), yes?

Further, if the queue overflows the audit_backlog_wait_time will remain set to 
audit_backlog_wait_overflow until the queue is drained, yes?  Is that what we 
want?

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 53bb39b..b333f03 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -107,6 +107,7 @@ static u32	audit_rate_limit;
>   * When set to zero, this means unlimited. */
>  static u32	audit_backlog_limit = 64;
>  #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
> +static u32	audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME;
>  static u32	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
>  static u32	audit_backlog_wait_overflow = 0;
> 
> @@ -338,7 +339,7 @@ static int audit_set_backlog_limit(u32 limit)
>  static int audit_set_backlog_wait_time(u32 timeout)
>  {
>  	return audit_do_config_change("audit_backlog_wait_time",
> -				      &audit_backlog_wait_time, timeout);
> +				      &audit_backlog_wait_time_master, timeout);
>  }
> 
>  static int audit_set_enabled(u32 state)
> @@ -843,7 +844,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct
> nlmsghdr *nlh) s.lost			= atomic_read(&audit_lost);
>  		s.backlog		= skb_queue_len(&audit_skb_queue);
>  		s.version		= AUDIT_VERSION_LATEST;
> -		s.backlog_wait_time	= audit_backlog_wait_time;
> +		s.backlog_wait_time	= audit_backlog_wait_time_master;
>  		audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
>  		break;
>  	}
> @@ -1394,7 +1395,7 @@ struct audit_buffer *audit_log_start(struct
> audit_context *ctx, gfp_t gfp_mask, return NULL;
>  	}
> 
> -	audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
> +	audit_backlog_wait_time = audit_backlog_wait_time_master;
> 
>  	ab = audit_buffer_alloc(ctx, gfp_mask, type);
>  	if (!ab) {

-- 
paul moore
security @ redhat