[PATCH][RFC] audit: set wait time to zero when audit failed
Paul Moore
paul at paul-moore.com
Thu Sep 12 13:01:51 UTC 2019
On Wed, Sep 11, 2019 at 11:19 PM Li RongQing <lirongqing at baidu.com> wrote:
>
> if audit_log_start failed because queue is full, kauditd is waiting
> the receiving queue empty, but no receiver, a task will be forced to
> wait 60 seconds for each audited syscall, and it will be hang for a
> very long time
>
> so at this condition, set the wait time to zero to reduce wait, and
> restore wait time when audit works again
>
> it partially restore the commit 3197542482df ("audit: rework
> audit_log_start()")
>
> Signed-off-by: Li RongQing <lirongqing at baidu.com>
> Signed-off-by: Liang ZhiCheng <liangzhicheng at baidu.com>
> ---
> reboot is taking a very long time on my machine(centos 6u4 +kernel 5.3)
> since TIF_SYSCALL_AUDIT is set by default, and when reboot, userspace process
> which receiver audit message , will be killed, and lead to that no user
> drain the audit queue
>
> git bitsect show it is caused by 3197542482df ("audit: rework audit_log_start()")
>
> kernel/audit.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
This is typically solved by increasing the backlog using the
"audit_backlog_limit" kernel parameter (link to the docs below). You
might also want to investigate what is generating some many audit
records prior to starting the audit daemon.
* https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
> diff --git a/kernel/audit.c b/kernel/audit.c
> index da8dc0db5bd3..6de23599fd43 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -119,6 +119,7 @@ static u32 audit_rate_limit;
> * When set to zero, this means unlimited. */
> static u32 audit_backlog_limit = 64;
> #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
> +static u32 audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME;
> static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
>
> /* The identity of the user shutting down the audit system. */
> @@ -435,7 +436,7 @@ static int audit_set_backlog_limit(u32 limit)
> static int audit_set_backlog_wait_time(u32 timeout)
> {
> return audit_do_config_change("audit_backlog_wait_time",
> - &audit_backlog_wait_time, timeout);
> + &audit_backlog_wait_time_master, timeout);
> }
>
> static int audit_set_enabled(u32 state)
> @@ -1202,7 +1203,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> s.lost = atomic_read(&audit_lost);
> s.backlog = skb_queue_len(&audit_queue);
> s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL;
> - s.backlog_wait_time = audit_backlog_wait_time;
> + s.backlog_wait_time = audit_backlog_wait_time_master;
> audit_send_reply(skb, seq, AUDIT_GET, 0, 0, &s, sizeof(s));
> break;
> }
> @@ -1785,11 +1786,15 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
> skb_queue_len(&audit_queue),
> audit_backlog_limit);
> audit_log_lost("backlog limit exceeded");
> + audit_backlog_wait_time = 0;
> return NULL;
> }
> }
> }
>
> + if (audit_backlog_wait_time != audit_backlog_wait_time_master)
> + audit_backlog_wait_time = audit_backlog_wait_time_master;
> +
> ab = audit_buffer_alloc(ctx, gfp_mask, type);
> if (!ab) {
> audit_log_lost("out of memory in audit_log_start");
> --
> 2.16.2
>
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list