> On 05/05/2015 04:55 AM, Zhi Xin wrote: >> (1) avc size >> >> I?m reading the code under >> >> /kernel/security/selinux/avc.c >> >> >> >> I noticed that there are some macro like >> >> #define AVC_DEF_CACHE_THRESHOLD 512 >> >> #define AVC_CACHE_SLOTS 512 >> >> >> >> Are they some kind of threshold ? If the size of avc log reported is >> bigger than that, new avc will be abandoned ? > > No, that has nothing to do with auditing. Just the size of the cache. > >> (2) audit subsystem may drop some record when it?s satisfied with some >> condition like >> >> >> >> /kernel/kernel/audit.c >> >> 115 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#115>/* >> Records can be lost in several ways: >> >> 116 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#116> >> 0) [suppressed in audit_alloc] >> >> 117 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#117> >> 1) out of memory in audit_log_start [kmalloc of struct audit_buffer] >> >> 118 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#118> >> 2) out of memory in audit_log_move [alloc_skb] >> >> 119 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#119> >> 3) suppressed due to audit_rate_limit >> >> 120 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#120> >> 4) suppressed due to audit_backlog_limit >> >> 121 >> <http://10.38.120.31:8080/source/xref/pxa1928-lp5.0/kernel/kernel/audit.c#121>*/ >> >> >> >> Any comments on these two ? > > Yes, one of the above cases is the most likely reason you are losing > audit messages. You can set the audit_rate_limit to zero to disable > ratelimiting of audit messages by removing the code from > system/core/logd/libaudit.c that sets it. You could set the > audit_backlog_limit to zero either by patching your kernel or by > modifying logd to set it. You can patch your kernel to disable > printk_ratelimit from being applied when sending audit messages to the > kernel ring buffer. Its likely this, I normally patch this out on my kernel in the first few bring ups. I would start here if I were you. > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@xxxxxxxxxxxxx > To unsubscribe, send email to Seandroid-list-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to > Seandroid-list-request@xxxxxxxxxxxxx. > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
