Re: Maximum Value for q_depth
Hello, On Wednesday, December 8, 2021 4:54:52 PM EST Amjad Gabbar wrote: > 1. The version of auditd is 1:2.8.4-3 and the plugins are af_unix.conf and > syslog.conf for audisp. The q_depth is currently set to 80 and I think it > calls for an increase but not sure if there is a way to figure out what the > proper number would be? There is no good calculation that I can give you. It depends on the average rate of incoming events and the rate that they can be offloaded to the plugins + some margin in case there is a burst. Looking at the 2.8.5 code, the default is 250. https://github.com/linux-audit/audit-userspace/blob/2.8_maintenance/init.d/ audispd.conf So, you should at least set it that high. Maybe a bit higher. > 2. Another thing I would like to follow up on is the difference between > q_depth and backlog_limit. My assumption was if there is any drop due to a > burst of events it would be addressed by the backlog limit. Just would like > some clarification on this and how this is an event dispatcher issue? The backlog limit is inside the kernel. This is the buffer that holds events that are waiting for the audit daemon to offload them. Once the audit daemon has them, it sends it to the dispatcher which also buffers events because not all plugins are able to receive the events as soon as they arrive at the dispatcher. So, for brief bursts, the kernel backlog will handle the load. But once they are pulled out of the kernel, the q_depth controls how much to hold waiting for plugins. If this number needs to increase much, then the plugins are having problems. The syslog plugin should be fine. I'd look more at the af_unix plugin. The client that attaches to it needs to unload events quickly. I'd investigate the af_unix client to see if it's the problem. Cheers, -Steve > On Wed, Dec 1, 2021 at 10:00 AM Steve Grubb wrote: > > Hello, > > > > On Tuesday, November 30, 2021 6:04:28 PM EST Amjad Gabbar wrote: > > > I am currently seeing a lot of auditd dispatch error issues. > > > > What version of auditd and what plugins do you have? > > > > > It is related to a particular keyed rule that from the looks of it is > > > generating close to a million events /day. I have seen previous answers > > > where it was advised to increase the q_depth value to a suitable > > > number. > > > > > > Based on this, I would like to confirm what is the maximum advisable > > > > value > > > > > q_depth can have/take? > > > > Depends on what you are willing to set it to. You can easily go to 64k, > > but > > you really ought to look at the plugins to see why they can't keep up. > > And > > of > > course, are the rules really designed right and you need the million > > events/ > > day? > > > > -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Fwd: Maximum Value for q_depth
1. The version of auditd is 1:2.8.4-3 and the plugins are af_unix.conf and syslog.conf for audisp. The q_depth is currently set to 80 and I think it calls for an increase but not sure if there is a way to figure out what the proper number would be? 2. Another thing I would like to follow up on is the difference between q_depth and backlog_limit. My assumption was if there is any drop due to a burst of events it would be addressed by the backlog limit. Just would like some clarification on this and how this is an event dispatcher issue? Thanks Amjad On Wed, Dec 1, 2021 at 10:00 AM Steve Grubb wrote: > Hello, > > On Tuesday, November 30, 2021 6:04:28 PM EST Amjad Gabbar wrote: > > I am currently seeing a lot of auditd dispatch error issues. > > What version of auditd and what plugins do you have? > > > It is related to a particular keyed rule that from the looks of it is > > generating close to a million events /day. I have seen previous answers > > where it was advised to increase the q_depth value to a suitable number. > > > > Based on this, I would like to confirm what is the maximum advisable > value > > q_depth can have/take? > > Depends on what you are willing to set it to. You can easily go to 64k, > but > you really ought to look at the plugins to see why they can't keep up. And > of > course, are the rules really designed right and you need the million > events/ > day? > > -Steve > > > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v2 0/7] pid: Introduce helper task_is_in_root_ns()
The kernel uses open code to check if a process is in root PID namespace or not in several places. Suggested by Suzuki, this patch set is to create a helper function task_is_in_init_pid_ns() to replace open code. This patch set has been applied on the mainline kernel and built for Arm64 kernel with enabling all relevant modules. Changes from v1: * Renamed helper function from task_is_in_root_ns() to task_is_in_init_pid_ns(). (Leon Romanovsky) * Improved patches' commit logs for more neat. Leo Yan (7): pid: Introduce helper task_is_in_init_pid_ns() coresight: etm3x: Use task_is_in_init_pid_ns() coresight: etm4x: Use task_is_in_init_pid_ns() connector/cn_proc: Use task_is_in_init_pid_ns() coda: Use task_is_in_init_pid_ns() audit: Use task_is_in_init_pid_ns() taskstats: Use task_is_in_init_pid_ns() drivers/connector/cn_proc.c | 2 +- drivers/hwtracing/coresight/coresight-etm3x-sysfs.c | 8 drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 8 fs/coda/inode.c | 2 +- fs/coda/psdev.c | 2 +- include/linux/pid_namespace.h | 5 + kernel/audit.c | 2 +- kernel/taskstats.c | 2 +- 8 files changed, 18 insertions(+), 13 deletions(-) -- 2.25.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v2 6/7] audit: Use task_is_in_init_pid_ns()
Replace open code with task_is_in_init_pid_ns() for checking root PID namespace. Signed-off-by: Leo Yan --- kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index 121d37e700a6..56ea91014180 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1034,7 +1034,7 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type) case AUDIT_MAKE_EQUIV: /* Only support auditd and auditctl in initial pid namespace * for now. */ - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EPERM; if (!netlink_capable(skb, CAP_AUDIT_CONTROL)) -- 2.25.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2 1/7] pid: Introduce helper task_is_in_init_pid_ns()
On 08/12/2021 08:33, Leo Yan wrote:
Currently the kernel uses open code in multiple places to check if a
task is in the root PID namespace with the kind of format:
if (task_active_pid_ns(current) == _pid_ns)
do_something();
This patch creates a new helper function, task_is_in_init_pid_ns(), it
returns true if a passed task is in the root PID namespace, otherwise
returns false. So it will be used to replace open codes.
Suggested-by: Suzuki K Poulose
Signed-off-by: Leo Yan
---
include/linux/pid_namespace.h | 5 +
1 file changed, 5 insertions(+)
diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h
index 7c7e627503d2..07481bb87d4e 100644
--- a/include/linux/pid_namespace.h
+++ b/include/linux/pid_namespace.h
@@ -86,4 +86,9 @@ extern struct pid_namespace *task_active_pid_ns(struct
task_struct *tsk);
void pidhash_init(void);
void pid_idr_init(void);
+static inline bool task_is_in_init_pid_ns(struct task_struct *tsk)
+{
+ return task_active_pid_ns(tsk) == _pid_ns;
+}
+
Looks good to me,
Acked-by: Suzuki K Poulose
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2 3/7] coresight: etm4x: Use task_is_in_init_pid_ns()
On 08/12/2021 08:33, Leo Yan wrote: This patch replaces open code with task_is_in_init_pid_ns() to check if a task is in root PID namespace. Signed-off-by: Leo Yan --- Reviewed-by: Suzuki K Poulose -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2 1/7] pid: Introduce helper task_is_in_init_pid_ns()
On Wed, Dec 08, 2021 at 04:33:14PM +0800, Leo Yan wrote: > Currently the kernel uses open code in multiple places to check if a > task is in the root PID namespace with the kind of format: > > if (task_active_pid_ns(current) == _pid_ns) > do_something(); > > This patch creates a new helper function, task_is_in_init_pid_ns(), it > returns true if a passed task is in the root PID namespace, otherwise > returns false. So it will be used to replace open codes. > > Suggested-by: Suzuki K Poulose > Signed-off-by: Leo Yan > --- > include/linux/pid_namespace.h | 5 + > 1 file changed, 5 insertions(+) > Thanks, Reviewed-by: Leon Romanovsky -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v2 7/7] taskstats: Use task_is_in_init_pid_ns()
Replace open code with task_is_in_init_pid_ns() for checking root PID
namespace.
Signed-off-by: Leo Yan
---
kernel/taskstats.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/taskstats.c b/kernel/taskstats.c
index 2b4898b4752e..f570d8e1f001 100644
--- a/kernel/taskstats.c
+++ b/kernel/taskstats.c
@@ -284,7 +284,7 @@ static int add_del_listener(pid_t pid, const struct cpumask
*mask, int isadd)
if (current_user_ns() != _user_ns)
return -EINVAL;
- if (task_active_pid_ns(current) != _pid_ns)
+ if (!task_is_in_init_pid_ns(current))
return -EINVAL;
if (isadd == REGISTER) {
--
2.25.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2 2/7] coresight: etm3x: Use task_is_in_init_pid_ns()
On 08/12/2021 08:33, Leo Yan wrote: This patch replaces open code with task_is_in_init_pid_ns() to check if a task is in root PID namespace. Signed-off-by: Leo Yan --- Reviewed-by: Suzuki K Poulose -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v2 4/7] connector/cn_proc: Use task_is_in_init_pid_ns()
This patch replaces open code with task_is_in_init_pid_ns() to check if a task is in root PID namespace. Signed-off-by: Leo Yan --- drivers/connector/cn_proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c index 646ad385e490..ccac1c453080 100644 --- a/drivers/connector/cn_proc.c +++ b/drivers/connector/cn_proc.c @@ -358,7 +358,7 @@ static void cn_proc_mcast_ctl(struct cn_msg *msg, * other namespaces. */ if ((current_user_ns() != _user_ns) || - (task_active_pid_ns(current) != _pid_ns)) + !task_is_in_init_pid_ns(current)) return; /* Can only change if privileged. */ -- 2.25.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v2 3/7] coresight: etm4x: Use task_is_in_init_pid_ns()
This patch replaces open code with task_is_in_init_pid_ns() to check if a task is in root PID namespace. Signed-off-by: Leo Yan --- drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c index a0640fa5c55b..10ef2a29006e 100644 --- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c +++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c @@ -1890,7 +1890,7 @@ static ssize_t ctxid_pid_show(struct device *dev, * Don't use contextID tracing if coming from a PID namespace. See * comment in ctxid_pid_store(). */ - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; spin_lock(>spinlock); @@ -1918,7 +1918,7 @@ static ssize_t ctxid_pid_store(struct device *dev, * As such refuse to use the feature if @current is not in the initial * PID namespace. */ - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; /* @@ -1951,7 +1951,7 @@ static ssize_t ctxid_masks_show(struct device *dev, * Don't use contextID tracing if coming from a PID namespace. See * comment in ctxid_pid_store(). */ - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; spin_lock(>spinlock); @@ -1975,7 +1975,7 @@ static ssize_t ctxid_masks_store(struct device *dev, * Don't use contextID tracing if coming from a PID namespace. See * comment in ctxid_pid_store(). */ - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; /* -- 2.25.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v2 5/7] coda: Use task_is_in_init_pid_ns()
Replace open code with task_is_in_init_pid_ns() for checking root PID namespace. Signed-off-by: Leo Yan --- fs/coda/inode.c | 2 +- fs/coda/psdev.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/coda/inode.c b/fs/coda/inode.c index d9f1bd7153df..931f4560fdd0 100644 --- a/fs/coda/inode.c +++ b/fs/coda/inode.c @@ -152,7 +152,7 @@ static int coda_fill_super(struct super_block *sb, void *data, int silent) int error; int idx; - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; idx = get_device_index((struct coda_mount_data *) data); diff --git a/fs/coda/psdev.c b/fs/coda/psdev.c index b39580ad4ce5..73457661fbe8 100644 --- a/fs/coda/psdev.c +++ b/fs/coda/psdev.c @@ -270,7 +270,7 @@ static int coda_psdev_open(struct inode * inode, struct file * file) struct venus_comm *vcp; int idx, err; - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; if (current_user_ns() != _user_ns) -- 2.25.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v2 1/7] pid: Introduce helper task_is_in_init_pid_ns()
Currently the kernel uses open code in multiple places to check if a
task is in the root PID namespace with the kind of format:
if (task_active_pid_ns(current) == _pid_ns)
do_something();
This patch creates a new helper function, task_is_in_init_pid_ns(), it
returns true if a passed task is in the root PID namespace, otherwise
returns false. So it will be used to replace open codes.
Suggested-by: Suzuki K Poulose
Signed-off-by: Leo Yan
---
include/linux/pid_namespace.h | 5 +
1 file changed, 5 insertions(+)
diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h
index 7c7e627503d2..07481bb87d4e 100644
--- a/include/linux/pid_namespace.h
+++ b/include/linux/pid_namespace.h
@@ -86,4 +86,9 @@ extern struct pid_namespace *task_active_pid_ns(struct
task_struct *tsk);
void pidhash_init(void);
void pid_idr_init(void);
+static inline bool task_is_in_init_pid_ns(struct task_struct *tsk)
+{
+ return task_active_pid_ns(tsk) == _pid_ns;
+}
+
#endif /* _LINUX_PID_NS_H */
--
2.25.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
[PATCH v2 2/7] coresight: etm3x: Use task_is_in_init_pid_ns()
This patch replaces open code with task_is_in_init_pid_ns() to check if a task is in root PID namespace. Signed-off-by: Leo Yan --- drivers/hwtracing/coresight/coresight-etm3x-sysfs.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/hwtracing/coresight/coresight-etm3x-sysfs.c b/drivers/hwtracing/coresight/coresight-etm3x-sysfs.c index e8c7649f123e..ff76cb56b727 100644 --- a/drivers/hwtracing/coresight/coresight-etm3x-sysfs.c +++ b/drivers/hwtracing/coresight/coresight-etm3x-sysfs.c @@ -1030,7 +1030,7 @@ static ssize_t ctxid_pid_show(struct device *dev, * Don't use contextID tracing if coming from a PID namespace. See * comment in ctxid_pid_store(). */ - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; spin_lock(>spinlock); @@ -1058,7 +1058,7 @@ static ssize_t ctxid_pid_store(struct device *dev, * As such refuse to use the feature if @current is not in the initial * PID namespace. */ - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; ret = kstrtoul(buf, 16, ); @@ -1084,7 +1084,7 @@ static ssize_t ctxid_mask_show(struct device *dev, * Don't use contextID tracing if coming from a PID namespace. See * comment in ctxid_pid_store(). */ - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; val = config->ctxid_mask; @@ -1104,7 +1104,7 @@ static ssize_t ctxid_mask_store(struct device *dev, * Don't use contextID tracing if coming from a PID namespace. See * comment in ctxid_pid_store(). */ - if (task_active_pid_ns(current) != _pid_ns) + if (!task_is_in_init_pid_ns(current)) return -EINVAL; ret = kstrtoul(buf, 16, ); -- 2.25.1 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
