As the man page of auditctl said:
"
-b backlog
Set max number of outstanding audit buffers allowed (Kernel
Default=64)
If all buffers are full, the failure flag is consulted by the
kernel
for action.
"
So if audit_backlog_limit is zero, it means no audit buffer
should be allocated.
Signed-off-by: Gao feng <[email protected]>
---
kernel/audit.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 7b0e23a..bbb4000 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1104,14 +1104,16 @@ struct audit_buffer *audit_log_start(struct
audit_context *ctx, gfp_t gfp_mask,
if (unlikely(audit_filter_type(type)))
return NULL;
+ if (!audit_backlog_limit)
+ return NULL;
+
if (gfp_mask & __GFP_WAIT)
reserve = 0;
else
reserve = 5; /* Allow atomic callers to go up to five
entries over the normal backlog limit */
- while (audit_backlog_limit
- && skb_queue_len(&audit_skb_queue) > audit_backlog_limit +
reserve) {
+ while (skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve)
{
if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time) {
unsigned long sleep_time;
--
1.8.3.1
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
