> On 05/05/2015 04:55 AM, Zhi Xin wrote: >> (1) avc size >> >> Im reading the code under >> >> /kernel/security/selinux/avc.c >> >> >> >> I noticed that there are some macro like >> >> #define AVC_DEF_CACHE_THRESHOLD 512 >> >> #define AVC_CACHE_SLOTS 512 >> >> >> >> Are they some kind of threshold ? If the size of avc log reported is >> bigger than that, new avc will be abandoned ? > > No, that has nothing to do with auditing. Just the size of the cache. > >> (2) audit subsystem may drop some record when its satisfied with some >> condition like >> >> >> >> /kernel/kernel/audit.c >> >> 115 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#115>/* >> Records can be lost in several ways: >> >> 116 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#116> >> 0) [suppressed in audit_alloc] >> >> 117 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#117> >> 1) out of memory in audit_log_start [kmalloc of struct audit_buffer] >> >> 118 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#118> >> 2) out of memory in audit_log_move [alloc_skb] >> >> 119 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#119> >> 3) suppressed due to audit_rate_limit >> >> 120 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#120> >> 4) suppressed due to audit_backlog_limit >> >> 121 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#121>*/ >> >> >> >> Any comments on these two ? > > Yes, one of the above cases is the most likely reason you are losing > audit messages. You can set the audit_rate_limit to zero to disable > ratelimiting of audit messages by removing the code from > system/core/logd/libaudit.c that sets it. You could set the > audit_backlog_limit to zero either by patching your kernel or by > modifying logd to set it. You can patch your kernel to disable > printk_ratelimit from being applied when sending audit messages to the > kernel ring buffer.
Its likely this, I normally patch this out on my kernel in the first few bring ups. I would start here if I were you. > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov. > _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
