[PATCH 2/2] audit: don't reset working wait time accidentally with auditd
Paul Moore
pmoore at redhat.com
Thu Jan 29 23:16:08 UTC 2015
On Tuesday, January 27, 2015 07:34:02 PM Richard Guy Briggs wrote:
> During a queue overflow condition while we are waiting for auditd to drain
> the queue to make room for regular messages, we don't want a successful
> auditd that has bypassed the queue check to reset the backlog wait time.
>
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> kernel/audit.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
I'm still wondering why we ever change audit_backlog_wait_time, it is only so
we don't end up calling wait_for_auditd() multiple times while we are waiting
for the queue to drain?
As a general comment, not directed at anyone in particular, the audit
backlog/queue handling looks a little odd ...
> diff --git a/kernel/audit.c b/kernel/audit.c
> index b333f03..73293ea 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1395,7 +1395,8 @@ struct audit_buffer *audit_log_start(struct
> audit_context *ctx, gfp_t gfp_mask, return NULL;
> }
>
> - audit_backlog_wait_time = audit_backlog_wait_time_master;
> + if (!reserve)
> + audit_backlog_wait_time = audit_backlog_wait_time_master;
>
> ab = audit_buffer_alloc(ctx, gfp_mask, type);
> if (!ab) {
--
paul moore
security @ redhat
More information about the Linux-audit
mailing list