Re: audit plugin for AVC and USER_AVC messages
Hello,
On Wednesday, August 14, 2024 2:28:17 PM EDT nupurdeora(a)gmail.com wrote:
I used your plugin code sample
-https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin
/audisp-example.c to handle audit messages when I write some audit rules.
it works perfectly fine with some minor tweaks
Now I want to extend the same plugin to filter AVC and USER_AVC
messages
and sent to our system log. But while developing SELINUX policy there are
too many of these and hence the plugin is unable to handle it and system
hangs. Is there a way to increase the capacity of plugin to handle so many
AVC denials. Eventually when the SELINUX policy is matured , I expect to
see a lot less of these denials.
For anything dealing with a high volume of events, I would make it multi-
threaded. The main thread waits at select/epoll for inbound events and places
them in a fifo between the two threads. The other thread does the call to
auparse_feed().
When events trigger the callback, the callback runs synchronously under the
auparse_feed function call. Since this is what takes longer, it needs to be
it's own thread. This way the main thread keeps auditd moving which in turn
keeps the kernel moving.
-Steve