Skip to content

Commit

Permalink
[AUDIT] ratelimit printk messages audit
Browse files Browse the repository at this point in the history 
some printk messages from the audit system can become excessive.  This
patch ratelimits those messages.  It was found that messages, such as
the audit backlog lost printk message could flood the logs to the point
that a machine could take an nmi watchdog hit or otherwise become
unresponsive.

Signed-off-by: Eric Paris <eparis@redhat.com>
  • Loading branch information
Eric Paris authored and Al Viro committed Feb 1, 2008
1 parent 148b38d commit 320f1b1
Showing 1 changed file with 18 additions and 9 deletions.
27 changes: 18 additions & 9 deletions kernel/audit.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,8 @@ void audit_panic(const char *message)
case AUDIT_FAIL_SILENT:
break;
case AUDIT_FAIL_PRINTK:
printk(KERN_ERR "audit: %s\n", message);
if (printk_ratelimit())
printk(KERN_ERR "audit: %s\n", message);
break;
case AUDIT_FAIL_PANIC:
panic("audit: %s\n", message);
Expand Down Expand Up @@ -234,11 +235,13 @@ void audit_log_lost(const char *message)
}

if (print) {
printk(KERN_WARNING
"audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
atomic_read(&audit_lost),
audit_rate_limit,
audit_backlog_limit);
if (printk_ratelimit())
printk(KERN_WARNING
"audit: audit_lost=%d audit_rate_limit=%d "
"audit_backlog_limit=%d\n",
atomic_read(&audit_lost),
audit_rate_limit,
audit_backlog_limit);
audit_panic(message);
}
}
Expand Down Expand Up @@ -352,7 +355,11 @@ static int kauditd_thread(void *dummy)
audit_pid = 0;
}
} else {
printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0));
if (printk_ratelimit())
printk(KERN_NOTICE "%s\n", skb->data +
NLMSG_SPACE(0));
else
audit_log_lost("printk limit exceeded\n");
kfree_skb(skb);
}
} else {
Expand Down Expand Up @@ -1066,7 +1073,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
remove_wait_queue(&audit_backlog_wait, &wait);
continue;
}
if (audit_rate_check())
if (audit_rate_check() && printk_ratelimit())
printk(KERN_WARNING
"audit: audit_backlog=%d > "
"audit_backlog_limit=%d\n",
Expand Down Expand Up @@ -1349,9 +1356,11 @@ void audit_log_end(struct audit_buffer *ab)
skb_queue_tail(&audit_skb_queue, ab->skb);
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
} else {
} else if (printk_ratelimit()) {
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
} else {
audit_log_lost("printk limit exceeded\n");
}
}
audit_buffer_free(ab);
Expand Down

0 comments on commit 320f1b1

Please sign in to comment.