audit: add audit_backlog_wait_time configuration option
authorRichard Guy Briggs <rgb@redhat.com>
Wed, 18 Sep 2013 15:55:12 +0000 (11:55 -0400)
committerEric Paris <eparis@redhat.com>
Tue, 14 Jan 2014 03:28:45 +0000 (22:28 -0500)
reaahead-collector abuses the audit logging facility to discover which files
are accessed at boot time to make a pre-load list

Add a tuning option to audit_backlog_wait_time so that if auditd can't keep up,
or gets blocked, the callers won't be blocked.

Bump audit_status API version to "2".

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
include/uapi/linux/audit.h
kernel/audit.c

index 4fdedd4..14afb0d 100644 (file)
@@ -319,6 +319,7 @@ enum {
 #define AUDIT_STATUS_PID               0x0004
 #define AUDIT_STATUS_RATE_LIMIT                0x0008
 #define AUDIT_STATUS_BACKLOG_LIMIT     0x0010
+#define AUDIT_STATUS_BACKLOG_WAIT_TIME 0x0020
                                /* Failure-to-log actions */
 #define AUDIT_FAIL_SILENT      0
 #define AUDIT_FAIL_PRINTK      1
@@ -377,6 +378,7 @@ struct audit_status {
        __u32           lost;           /* messages lost */
        __u32           backlog;        /* messages waiting in queue */
        __u32           version;        /* audit api version number */
+       __u32           backlog_wait_time;/* message queue wait timeout */
 };
 
 struct audit_features {
index 80b7de0..37ba599 100644 (file)
@@ -334,6 +334,12 @@ static int audit_set_backlog_limit(int limit)
        return audit_do_config_change("audit_backlog_limit", &audit_backlog_limit, limit);
 }
 
+static int audit_set_backlog_wait_time(int timeout)
+{
+       return audit_do_config_change("audit_backlog_wait_time",
+                                     &audit_backlog_wait_time, timeout);
+}
+
 static int audit_set_enabled(int state)
 {
        int rc;
@@ -778,7 +784,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                s.backlog_limit         = audit_backlog_limit;
                s.lost                  = atomic_read(&audit_lost);
                s.backlog               = skb_queue_len(&audit_skb_queue);
-               s.version               = 1;
+               s.version               = 2;
+               s.backlog_wait_time     = audit_backlog_wait_time;
                audit_send_reply(NETLINK_CB(skb).portid, seq, AUDIT_GET, 0, 0,
                                 &s, sizeof(s));
                break;
@@ -812,8 +819,28 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        if (err < 0)
                                return err;
                }
-               if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT)
+               if (s.mask & AUDIT_STATUS_BACKLOG_LIMIT) {
                        err = audit_set_backlog_limit(s.backlog_limit);
+                       if (err < 0)
+                               return err;
+               }
+               switch (s.version) {
+               /* add future vers # cases immediately below and allow
+                * to fall through */
+               case 2:
+                       if (s.mask & AUDIT_STATUS_BACKLOG_WAIT_TIME) {
+                               if (sizeof(s) > (size_t)nlh->nlmsg_len)
+                                       return -EINVAL;
+                               if (s.backlog_wait_time < 0 ||
+                                   s.backlog_wait_time > 10*AUDIT_BACKLOG_WAIT_TIME)
+                                       return -EINVAL;
+                               err = audit_set_backlog_wait_time(s.backlog_wait_time);
+                               if (err < 0)
+                                       return err;
+                       }
+               default:
+                       break;
+               }
                break;
        }
        case AUDIT_GET_FEATURE: