As the man page of auditctl said:
"
-b backlog
Set max number of outstanding audit buffers allowed (Kernel
Default=64)
If all buffers are full, the failure flag is consulted by the
kernel
for action.
"
So if audit_backlog_limit is zero, it means no audit buffer
should be allocated.
Signed-off-by: Gao feng <gaof...@cn.fujitsu.com>
---
kernel/audit.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 7b0e23a..bbb4000 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1104,14 +1104,16 @@ struct audit_buffer *audit_log_start(struct
audit_context *ctx, gfp_t gfp_mask,
if (unlikely(audit_filter_type(type)))
return NULL;
+ if (!audit_backlog_limit)
+ return NULL;
+
if (gfp_mask & __GFP_WAIT)
reserve = 0;
else
reserve = 5; /* Allow atomic callers to go up to five
entries over the normal backlog limit */
- while (audit_backlog_limit
- && skb_queue_len(&audit_skb_queue) > audit_backlog_limit +
reserve) {
+ while (skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve)
{
if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time) {
unsigned long sleep_time;
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
