[PATCH -next 0/1] audit: ignore userspace log when backlog limit exceeded and backlog_wait_time is 0

From: luhuaxin
Date: Tue Dec 28 2021 - 01:50:29 EST

Next message: luhuaxin: "[PATCH -next 1/1] audit: ignore userspace log when backlog limit exceeded and backlog_wait_time is 0"
Previous message: guoren: "[PATCH V3 8/8] sched: mips: Remove unused TASK_SIZE_OF"
Next in thread: luhuaxin: "[PATCH -next 1/1] audit: ignore userspace log when backlog limit exceeded and backlog_wait_time is 0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The audit backlog overflow is an actual problem in our system. We set
the backlog_wait_time to 0 for improving OS performance. Therefore,
under the impact of a large number of audit logs produced by sudo, the
backlog in buffer will greatly exceed backlog_limit.

When the backlog exceed the backlog_limit and backlog_wait_time is set
to 0, the process will only sleep for a very short time (jiffies). The
backlog may still exceed backlog_limit in extreme cases.

The more reasonable way to fix this problem is:

1. If backlog_wait_time is set to zero, ignore the log;
2. If backlog_wait_time is set to non-zero, let process sleep for
backlog_wait_time.

The above log limit logic is also the same as that in the existing
audit_log_start function.

This may not be a perfect solution, a further discussion maybe
necessary.

luhuaxin (1):
audit: ignore userspace log when backlog limit exceeded and
backlog_wait_time is 0

kernel/audit.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)

--
2.23.0

Next message: luhuaxin: "[PATCH -next 1/1] audit: ignore userspace log when backlog limit exceeded and backlog_wait_time is 0"
Previous message: guoren: "[PATCH V3 8/8] sched: mips: Remove unused TASK_SIZE_OF"
Next in thread: luhuaxin: "[PATCH -next 1/1] audit: ignore userspace log when backlog limit exceeded and backlog_wait_time is 0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]