From 40c0775e5ea47667db497565b79a8dc154530992 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Tue, 22 Oct 2013 13:28:49 -0400 Subject: [PATCH] audit: allow unlimited backlog queue Since audit can already be disabled by "audit=0" on the kernel boot line, or by the command "auditctl -e 0", it would be more useful to have the audit_backlog_limit set to zero mean effectively unlimited (limited only by system RAM). Acked-by: Gao feng Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris --- kernel/audit.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 0d4865a50171..72bc1d0d1d0d 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -101,7 +101,8 @@ static __u32 audit_nlk_portid; * audit records being dropped. */ static int audit_rate_limit; -/* Number of outstanding audit_buffers allowed. */ +/* Number of outstanding audit_buffers allowed. + * When set to zero, this means unlimited. */ static int audit_backlog_limit = 64; #define AUDIT_BACKLOG_WAIT_TIME (60 * HZ) static int audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME; @@ -375,7 +376,8 @@ static int audit_set_failure(int state) static void audit_hold_skb(struct sk_buff *skb) { if (audit_default && - skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit) + (!audit_backlog_limit || + skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit)) skb_queue_tail(&audit_skb_hold_queue, skb); else kfree_skb(skb); -- 2.34.1