Re: [RFC][PATCH] audit: Simplify by assuming the callers socket buffer is large enough

On Tuesday, March 04, 2014 07:21:52 PM David Miller wrote: I am not sure what exactly is the problem with the code that was being patched. The audit code has been stable and working pretty well for everyone for the last 5-6 years. But lately there has been a lot of kernel code churn and I am concerned that the changes are being made without a complete understanding of the design goals. The audit system has to be very reliable. It can't lose any event or record. The people that really depend on it would rather have access denied to the system than lose any event. This is the reason it goes to such lengths. If I understand the patch, it looks like its affecting code that adds, deletes, or lists audit rules. This code is quite old and working well. It didn't at first. We found a lot of problems by writing scripts like: #!/bin/bash while [ 1 ] ; do echo "Inserting syscalls..." sys=1 while [ $sys -lt 100 ] do sys=`expr $sys + 1` echo "$sys" auditctl -a entry,always -S $sys done echo "Listing..." auditctl -l echo "Deleting..." auditctl -D done with another shell running: #!/bin/bash while [ 1 ] ; do echo "Listing..." auditctl -l done and another shell running: #!/bin/bash while [ 1 ] ; do echo "Disabling..." auditctl -e 0 echo "Enabling..." auditctl -e 1 done You can probably imagine more stress tests. But the proposed code should be well tested similar to this. Thanks, -Steve