Re: [RFC PATCH 3/7] audit: allow systemd to use queue reserves

On 15/10/22, Steve Grubb wrote: > On Thursday, October 22, 2015 02:53:16 PM Richard Guy Briggs wrote: > > Treat systemd the same way as auditd, allowing it to overrun the queue > > to avoid blocking. > > Do you mind explaining this a little more? I'm having a hard time > understanding how systemd is involved. systemd should only have CAP_AUDIT_READ for the multicast socket and otherwise behaves as a user client, sending AUDIT_USER_* messages. It starts and stops auditd and we don't want it blocking trying to allocate a buffer on the standard queue in audit_log_start() while it is tasked with telling auditd to start or stop.

> -Steve > > > Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com&gt; > > --- > > > > kernel/audit.c | 2 +- > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > > diff --git a/kernel/audit.c b/kernel/audit.c > > index 3917aad..384a1a1 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -1375,7 +1375,7 @@ struct audit_buffer *audit_log_start(struct > > audit_context *ctx, gfp_t gfp_mask, return NULL; > > > > if (gfp_mask & __GFP_WAIT) { > > > > - if (audit_pid && audit_pid == current->tgid) > > + if (current->tgid == 1 || (audit_pid && audit_pid == current- tgid)) > > > > gfp_mask &= ~__GFP_WAIT; > > > > else > > > > reserve = 0; - RGB -- Richard Guy Briggs <rbriggs(a)redhat.com&gt; Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit