Re: audit_backlog_limit messages
On Wednesday 29 June 2005 19:11, David Woodhouse wrote:
As discussed, the system isn't hung; it's just going slowly
because
every auditable action is waiting 1 minute for space on the backlog
queue. In fact from Steve's reports it looks like auditd itself is
getting audited again -- I'm not sure how. I wasn't able to reproduce it
using Steve's method; I'll try yours first thing in the morning.
Just a guess. Its using ctx->pid. Maybe tsk->pid is better? I would suggest 2
changes, though. The first is to plug the hole so that auditd doesn't get
audited. The other step is to inspect the pid when adding to the backlog wait
queue to make sure auditd doesn't get added to it. This way if there is
another sneak path, auditd won't get added to wait queue.
But for the purposes of our own testing, we generally shouldn't
be getting
into a situation where audit_panic() is called in the first place.
Well, they should check that panic really does work. I know that I don't run
my system like that. :)
Also, the backlog limit of 256 is low. This is the default set for people who
are not doing auditing. You should bump it up higher to maybe 1024 or 4096.
The default config is for people collecting the occasional avc denial
message.
-Steve