Re: Can AUDIT_LIST_RULES causes kthreadd-spam?

On Wed, May 3, 2023 at 5:14 PM Rinat Gadelshin <rgadelsh(a)gmail.com&gt; wrote: > Hello there =) > > My name is Rinat. > I'm a newbie here (at Linux kernel developer community). > > My current job is to work with audit subsystem on different > versions of Linux (and different kernel versions from 3.10 to the latest) > with and without auditd. > > My program works behalf of root account and uses netlink > (unicast or multicast depends of the kernel's version) > to communicate with audit subsystem of the kernel. > > If actual audit rule list has been changed > then my program should restore the configured audit rule list. > > To do it the program periodically (with 60 seconds interval) > requests the actual rule list be sending AUDIT_LIST_RULES. > > All rules are receiving perfectly. > > But I've noticed that there are many (2K+ for 5 minutes test) > kthreadd process have been spawned after that request > (I've stubbed the poll code and compare logs). Hi Rinat, First, a quick note that audit discussions involving the upstream Linux Kernel have moved to the audit(a)vger.kernel.org list (CC'd), please direct future emails there. Can you be more specific about the kernel threads you are seeing, are you seeing multiple "kauditd" threads? % ps -fC kauditd UID PID PPID C STIME TTY TIME CMD root 89 2 0 Apr28 ? 00:00:00 [kauditd] > Please, can you point me, what can I do to avoid this kthreadd-spam. > > Thank you. > > Best regards > Rinath