On 2023/05/05 3:40, Paul Moore wrote:
> On Wed, May 3, 2023 at 10:50 PM Tetsuo Handa
> <penguin-ker...@i-love.sakura.ne.jp> wrote:
>> On 2023/05/04 7:12, Rinat Gadelshin wrote:
>>> On 04.05.2023 00:27, Paul Moore wrote:
>>>> Can you be more specific about the kernel threads you are seeing, are
>>>> you seeing multiple "kauditd" threads?
>>>>
>>>> % ps -fC kauditd
>>>> UID          PID    PPID  C STIME TTY          TIME CMD
>>>> root          89       2  0 Apr28 ?        00:00:00 [kauditd]
>>
>> I don't think so.
>>
>> kernel audit subsystem uses kthread_run() in order to run short-lived kernel 
>> threads.
> 
> Thanks Tetsuo, I agree that's far more likely.  Ever since I took over
> shepherding the audit code, all of the thread issues have been around
> the main audit queue thread so it's a bit reflexive to assume that is
> the case :)
> 

Since kthread_run(audit_send_list_thread) is called by 
audit_receive_msg(AUDIT_LIST_RULES)
via audit_list_rules_send(), trying to audit fork request via AUDIT_LIST_RULES 
will cause
spams. Maybe something is going wrong with "And such events occurred 1208 times 
when
AUDIT_LIST_RULES is sending." part; let's wait for what printk() says.

By the way, why do we need to use kthread_run() for short-lived tasks? Can't we 
use
a dedicated workqueue which would significantly reduce frequency of fork 
request for
AUDIT_LIST_RULES request?

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Reply via email to