Re: Can AUDIT_LIST_RULES causes kthreadd-spam?
On 2023/05/05 3:40, Paul Moore wrote:
On Wed, May 3, 2023 at 10:50 PM Tetsuo Handa
<penguin-kernel(a)i-love.sakura.ne.jp> wrote:
> On 2023/05/04 7:12, Rinat Gadelshin wrote:
>> On 04.05.2023 00:27, Paul Moore wrote:
>>> Can you be more specific about the kernel threads you are seeing, are
>>> you seeing multiple "kauditd" threads?
>>>
>>> % ps -fC kauditd
>>> UID PID PPID C STIME TTY TIME CMD
>>> root 89 2 0 Apr28 ? 00:00:00 [kauditd]
>
> I don't think so.
>
> kernel audit subsystem uses kthread_run() in order to run short-lived kernel
threads.
Thanks Tetsuo, I agree that's far more likely. Ever since I took over
shepherding the audit code, all of the thread issues have been around
the main audit queue thread so it's a bit reflexive to assume that is
the case :)
Since kthread_run(audit_send_list_thread) is called by
audit_receive_msg(AUDIT_LIST_RULES)
via audit_list_rules_send(), trying to audit fork request via AUDIT_LIST_RULES will cause
spams. Maybe something is going wrong with "And such events occurred 1208 times when
AUDIT_LIST_RULES is sending." part; let's wait for what printk() says.
By the way, why do we need to use kthread_run() for short-lived tasks? Can't we use
a dedicated workqueue which would significantly reduce frequency of fork request for
AUDIT_LIST_RULES request?