[PATCH 1/2] audit: don't lose set wait time on first successful call to audit_log_start()
Paul Moore
pmoore at redhat.com
Thu Jan 29 23:11:26 UTC 2015
On Tuesday, January 27, 2015 07:34:01 PM Richard Guy Briggs wrote:
> Copy the set wait time to a working value to avoid losing the set value if
> the queue overflows.
>
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> kernel/audit.c | 7 ++++---
> 1 files changed, 4 insertions(+), 3 deletions(-)
Just so I'm understanding this patch correctly, you create a the new
audit_backlog_wait_time_master because the existing audit_backlog_wait_time
can be overwritten by the code in audit_log_start() when the audit record
backlog overflows (it is set to audit_backlog_wait_overflow), yes?
Further, if the queue overflows the audit_backlog_wait_time will remain set to
audit_backlog_wait_overflow until the queue is drained, yes? Is that what we
want?
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 53bb39b..b333f03 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -107,6 +107,7 @@ static u32 audit_rate_limit;
> * When set to zero, this means unlimited. */
> static u32 audit_backlog_limit = 64;
> #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
> +static u32 audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME;
> static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
> static u32 audit_backlog_wait_overflow = 0;
>
> @@ -338,7 +339,7 @@ static int audit_set_backlog_limit(u32 limit)
> static int audit_set_backlog_wait_time(u32 timeout)
> {
> return audit_do_config_change("audit_backlog_wait_time",
> - &audit_backlog_wait_time, timeout);
> + &audit_backlog_wait_time_master, timeout);
> }
>
> static int audit_set_enabled(u32 state)
> @@ -843,7 +844,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct
> nlmsghdr *nlh) s.lost = atomic_read(&audit_lost);
> s.backlog = skb_queue_len(&audit_skb_queue);
> s.version = AUDIT_VERSION_LATEST;
> - s.backlog_wait_time = audit_backlog_wait_time;
> + s.backlog_wait_time = audit_backlog_wait_time_master;
> audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
> break;
> }
> @@ -1394,7 +1395,7 @@ struct audit_buffer *audit_log_start(struct
> audit_context *ctx, gfp_t gfp_mask, return NULL;
> }
>
> - audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
> + audit_backlog_wait_time = audit_backlog_wait_time_master;
>
> ab = audit_buffer_alloc(ctx, gfp_mask, type);
> if (!ab) {
--
paul moore
security @ redhat
More information about the Linux-audit
mailing list