audit: allow unlimited backlog queue
authorRichard Guy Briggs <rgb@redhat.com>
Tue, 22 Oct 2013 17:28:49 +0000 (13:28 -0400)
committerEric Paris <eparis@redhat.com>
Tue, 14 Jan 2014 03:30:38 +0000 (22:30 -0500)
Since audit can already be disabled by "audit=0" on the kernel boot line, or by
the command "auditctl -e 0", it would be more useful to have the
audit_backlog_limit set to zero mean effectively unlimited (limited only by
system RAM).

Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
kernel/audit.c

index 0d4865a50171bb78ead7a2f34ac2257cd226d235..72bc1d0d1d0d96748aa0ff5acb4a4719d095c95f 100644 (file)
@@ -101,7 +101,8 @@ static __u32        audit_nlk_portid;
  * audit records being dropped. */
 static int     audit_rate_limit;
 
-/* Number of outstanding audit_buffers allowed. */
+/* Number of outstanding audit_buffers allowed.
+ * When set to zero, this means unlimited. */
 static int     audit_backlog_limit = 64;
 #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
 static int     audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
@@ -375,7 +376,8 @@ static int audit_set_failure(int state)
 static void audit_hold_skb(struct sk_buff *skb)
 {
        if (audit_default &&
-           skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit)
+           (!audit_backlog_limit ||
+            skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit))
                skb_queue_tail(&audit_skb_hold_queue, skb);
        else
                kfree_skb(skb);