On Fri, 2014-03-07 at 19:48 -0500, David Miller wrote: > From: Eric Paris <epa...@redhat.com> > Date: Fri, 07 Mar 2014 17:52:02 -0500 > > > Audit is non-tolerant to failure and loss. > > Netlink is not a loss-less transport. I'm happy to accept that (and know it to be true). How can I better architect things? It seems Eric is complaining that when we get a request for info, we queue that info up, and then use a kthread to make it available when the task next calls recv. By using blocking sockets in the kthread we have no problem with the size of the socket read buf. If we switch to non-blocking sockets how can we possibly queue up more than rmem size of data? (honestly, if userspace used INT_MAX it is almost certainly overkill for even the largest rulesets, but theoretically, it's not...)
Is our design somehow wrong? Flawed? Mind you it's pretty dumb that we do basically the same thing in 3 different audit code path, but the architecture doesn't seem crazy to me. Then again, I'm not brilliant by any stretch! +------------------------------------------------------------------+ | | | auditctl (audit tool run by root) | | netlink send netlink receive | +------------------------------------------------------------------+ + ^ | | v + +----------------------------+ +------------------------+ | kernel audit generate skbs | | send skbs to userspace | +----------------------------+ +------------------------+ + ^ | +------------------------+ | +------->| send skbs to a kthread |+-----+ +------------------------+ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/