Open e06620227 opened 3 years ago
https://github.com/linux-audit/audit-userspace/issues/204 @pcmoore @rgbriggs @The-M
Who is @the-M ?
Anyway, I think most of us are rather busy at the moment dealing with other audit related issues. You can try posting to the the audit mailing list, but most of my audit cycles at the moment are busy dealing with other audit issues that are a bit more critical.
On 2021-06-11 10:43, Paul Moore wrote:
Who is @the-M ?
I think it was intended to be Ondrej Moris. https://github.com/The-Mule
When the auditd service is stopped,it will call audit_set_pid(fd, 0, WAIT_NO) and do not process reply messages
int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode) { struct audit_status s; struct audit_reply rep; struct pollfd pfd[1]; int rc;
}
so why kernel reply to auditd with block mode in function netlink_unicast? When the audit event load is heavy, netlink_attachskb will be scheduled to hang,the auditd has stopped to consume recvbuf. netlink_unicast(sk, skb, portid, 0) -> netlink_unicast(sk, skb, portid, 1) Is it more reasonable?
audit_receive_msg->audit_replace->auditd_send_unicast_skb->netlink_unicast(sk, skb, portid, 0)->netlink_attachskb