On Wed, May 6, 2015 at 8:18 PM, Zhi Xin <xinzhi@xxxxxxxxxxx> wrote:
Thanks a lot~
I have another question: in last email, you mentioned two ways to eliminate the ratelimit.
(1) disable the audit ratelimit in logd by removing the AUDIT_STATUS_RATE_LIMIT flag from status.mask.
(2) use the kernel https://bitbucket.org/seandroid/kernel-msm/commits/0388e1630648c481e42929135babb1dbba272e27
I can understand how the kernel part work. But why do you still need to set a user space process like logd ? I mean the avc log is given by kernel. Why a user space process can affect its output ? Is is because the kernel log brought to user by this logd and if I want to disable audit ratelimit, I have to apply both of them ?
If their is no audit daemon (userspace) running, the audit subsystem of the kernel just simple printk's it to the kernel log. If their is a userspace daemon running, it sends it via the audit netlink to the userspace daemon, in this case logd. This is used in desktop distro's to send the logs over the network, or to disk. In logd, it merges it into the logcat stream. The audit subsystem was designed to be a flexible way to not only record information from the LSM's, but also other features. You can enable things like syscall auditing, in which more comprehensive records can be derived, as well as set filters and watches.
I also wonder do we have a more simple mechanism like a open/off switch during runtime ?
As in, we get denials messages or we don't? I think audit kernel has the capability to filter on records, but the userspace support was never brought into Android fully. When I had the auditd code on 4.3 base, some contributions were added to be able to set watches and filters IIRC.
-----Original Message-----
From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx]
Sent: 2015年5月6日 20:20
To: Zhi Xin; selinux@xxxxxxxxxxxxx
Cc: seandroid-list@xxxxxxxxxxxxx
Subject: Re: Give out all the avc logs in ome time
On 05/05/2015 10:18 PM, Zhi Xin wrote:
> Hi Stephen,
>
> Thanks a lot for the suggestion. I will try them later. I have another question for this audit ratelimit. Why not always disable it ? Too much printk come up ?
In general, the printk and audit ratelimits are to prevent a denial of service (DOS) by flooding the system with too many messages/denials. In the case of Android, they started setting the audit ratelimit in logd (starting with 5.1.0) because of reported crashes that _might_ have been due to a large number of SELinux denials flooding the serial console and ultimately leading to a watchdog reset, although I am not sure if the exact cause was ever fully confirmed.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
Respectfully,
William C Roberts
William C Roberts
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
