Re: [RFC][PATCH] audit: Simplify by assuming the callers socket buffer is large enough
From: Eric Paris
Date: Fri Mar 07 2014 - 22:57:07 EST
On Fri, 2014-03-07 at 19:48 -0500, David Miller wrote:
> From: Eric Paris <eparis@xxxxxxxxxx>
> Date: Fri, 07 Mar 2014 17:52:02 -0500
>
> > Audit is non-tolerant to failure and loss.
>
> Netlink is not a loss-less transport.
I'm happy to accept that (and know it to be true). How can I better
architect things? It seems Eric is complaining that when we get a
request for info, we queue that info up, and then use a kthread to make
it available when the task next calls recv. By using blocking sockets
in the kthread we have no problem with the size of the socket read buf.
If we switch to non-blocking sockets how can we possibly queue up more
than rmem size of data? (honestly, if userspace used INT_MAX it is
almost certainly overkill for even the largest rulesets, but
theoretically, it's not...)
Is our design somehow wrong? Flawed? Mind you it's pretty dumb that we
do basically the same thing in 3 different audit code path, but the
architecture doesn't seem crazy to me. Then again, I'm not brilliant by
any stretch!
+------------------------------------------------------------------+
| |
| auditctl (audit tool run by root) |
| netlink send netlink receive |
+------------------------------------------------------------------+
+ ^
| |
v +
+----------------------------+ +------------------------+
| kernel audit generate skbs | | send skbs to userspace |
+----------------------------+ +------------------------+
+ ^
| +------------------------+ |
+------->| send skbs to a kthread |+-----+
+------------------------+
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/