On Fri, 2014-03-07 at 19:48 -0500, David Miller wrote:
From: Eric Paris <eparis(a)redhat.com>
Date: Fri, 07 Mar 2014 17:52:02 -0500
> Audit is non-tolerant to failure and loss.
Netlink is not a loss-less transport.
I'm happy to accept that (and know it to
be true). How can I better
architect things? It seems Eric is complaining that when we get a
request for info, we queue that info up, and then use a kthread to make
it available when the task next calls recv. By using blocking sockets
in the kthread we have no problem with the size of the socket read buf.
If we switch to non-blocking sockets how can we possibly queue up more
than rmem size of data? (honestly, if userspace used INT_MAX it is
almost certainly overkill for even the largest rulesets, but
theoretically, it's not...)
Is our design somehow wrong? Flawed? Mind you it's pretty dumb that we
do basically the same thing in 3 different audit code path, but the
architecture doesn't seem crazy to me. Then again, I'm not brilliant by
any stretch!
+------------------------------------------------------------------+
| |
| auditctl (audit tool run by root) |
| netlink send netlink receive |
+------------------------------------------------------------------+
+ ^
| |
v +
+----------------------------+ +------------------------+
| kernel audit generate skbs | | send skbs to userspace |
+----------------------------+ +------------------------+
+ ^
| +------------------------+ |
+------->| send skbs to a kthread |+-----+
+------------------------+