[PATCH -next 0/1] audit: ignore userspace log when backlog limit exceeded and backlog_wait_time is 0

luhuaxin posted 1 patch 4 years, 6 months ago
kernel/audit.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
[PATCH -next 0/1] audit: ignore userspace log when backlog limit exceeded and backlog_wait_time is 0
Posted by luhuaxin 4 years, 6 months ago
The audit backlog overflow is an actual problem in our system. We set
the backlog_wait_time to 0 for improving OS performance. Therefore,
under the impact of a large number of audit logs produced by sudo, the
backlog in buffer will greatly exceed backlog_limit.

When the backlog exceed the backlog_limit and backlog_wait_time is set
to 0, the process will only sleep for a very short time (jiffies). The
backlog may still exceed backlog_limit in extreme cases.

The more reasonable way to fix this problem is:

1. If backlog_wait_time is set to zero, ignore the log;
2. If backlog_wait_time is set to non-zero, let process sleep for
backlog_wait_time.

The above log limit logic is also the same as that in the existing
audit_log_start function.

This may not be a perfect solution, a further discussion maybe
necessary.

luhuaxin (1):
  audit: ignore userspace log when backlog limit exceeded and
    backlog_wait_time is 0

 kernel/audit.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

-- 
2.23.0