On Mon, 2024-08-05 at 13:44 +0200, Christian Brauner wrote: > > Audit not my favorite area of the kernel to work in either. I don't see > > a good way to make it rcu-friendly, but I haven't looked too hard yet > > either. It would be nice to be able to do some of the auditing under > > rcu or spinlock. > > For audit your main option is to dodge the problem and check whether > audit is active and only drop out of rcu if it is. That sidesteps the > problem. I'm somewhat certain that a lot of systems don't really have > audit active. > I did have an earlier version of 4/4 that checked audit_context() and stayed in RCU mode if it comes back NULL. I can resurrect that if you think it's worthwhile. > From a brief look at audit it would be quite involved to make it work > just under rcu. Not just because it does various allocation but it also > reads fscaps from disk and so on. That's not going to work unless we add > a vfs based fscaps cache similar to what we do for acls. I find that > very unlikely. Yeah. It wants to record a lot of (variable-length) information at very inconvenient times. I think we're sort of stuck with it though until someone has a vision on how to do this in a non-blocking way. Handwavy thought: there is some similarity to tracepoints in what audit_inode does, and tracepoints are able to be called in all sorts of contexts. I wonder if we could leverage the same infrastructure somehow? The catch here is that we can't just drop audit records if things go wrong. -- Jeff Layton <jlayton@xxxxxxxxxx>