[AUDIT] ratelimit printk messages audit

some printk messages from the audit system can become excessive. This patch ratelimits those messages. It was found that messages, such as the audit backlog lost printk message could flood the logs to the point that a machine could take an nmi watchdog hit or otherwise become unresponsive. Signed-off-by: Eric Paris <eparis@redhat.com>

[AUDIT] ratelimit printk messages audit
some printk messages from the audit system can become excessive. This patch ratelimits those messages. It was found that messages, such as the audit backlog lost printk message could flood the logs to the point that a machine could take an nmi watchdog hit or otherwise become unresponsive. Signed-off-by: Eric Paris <eparis@redhat.com>
Eric Paris · Al Viro
1 parent 148b38dc93
Showing 1 changed file with 18 additions and 9 deletions Side-by-side Diff
kernel/audit.c
@@ -166,7 +166,8 @@
 	case AUDIT_FAIL_SILENT:
 		break;
 	case AUDIT_FAIL_PRINTK:
-		printk(KERN_ERR "audit: %s\n", message);
+		if (printk_ratelimit())
+			printk(KERN_ERR "audit: %s\n", message);
 		break;
 	case AUDIT_FAIL_PANIC:
 		panic("audit: %s\n", message);
@@ -234,11 +235,13 @@
 	}
  
 	if (print) {
-		printk(KERN_WARNING
-		       "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
-		       atomic_read(&audit_lost),
-		       audit_rate_limit,
-		       audit_backlog_limit);
+		if (printk_ratelimit())
+			printk(KERN_WARNING
+				"audit: audit_lost=%d audit_rate_limit=%d "
+				"audit_backlog_limit=%d\n",
+				atomic_read(&audit_lost),
+				audit_rate_limit,
+				audit_backlog_limit);
 		audit_panic(message);
 	}
 }
@@ -352,7 +355,11 @@
 					audit_pid = 0;
 				}
 			} else {
-				printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0));
+				if (printk_ratelimit())
+					printk(KERN_NOTICE "%s\n", skb->data +
+						NLMSG_SPACE(0));
+				else
+					audit_log_lost("printk limit exceeded\n");
 				kfree_skb(skb);
 			}
 		} else {
@@ -1066,7 +1073,7 @@
 			remove_wait_queue(&audit_backlog_wait, &wait);
 			continue;
 		}
-		if (audit_rate_check())
+		if (audit_rate_check() && printk_ratelimit())
 			printk(KERN_WARNING
 			       "audit: audit_backlog=%d > "
 			       "audit_backlog_limit=%d\n",
  
@@ -1349,9 +1356,11 @@
 			skb_queue_tail(&audit_skb_queue, ab->skb);
 			ab->skb = NULL;
 			wake_up_interruptible(&kauditd_wait);
-		} else {
+		} else if (printk_ratelimit()) {
 			struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
 			printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
+		} else {
+			audit_log_lost("printk limit exceeded\n");
 		}
 	}
 	audit_buffer_free(ab);
...	...	@@ -166,7 +166,8 @@
166	166	case AUDIT_FAIL_SILENT:
167	167	break;
168	168	case AUDIT_FAIL_PRINTK:
169		- printk(KERN_ERR "audit: %s\n", message);
	169	+ if (printk_ratelimit())
	170	+ printk(KERN_ERR "audit: %s\n", message);
170	171	break;
171	172	case AUDIT_FAIL_PANIC:
172	173	panic("audit: %s\n", message);
...	...	@@ -234,11 +235,13 @@
234	235	}
235	236
236	237	if (print) {
237		- printk(KERN_WARNING
238		- "audit: audit_lost=%d audit_rate_limit=%d audit_backlog_limit=%d\n",
239		- atomic_read(&audit_lost),
240		- audit_rate_limit,
241		- audit_backlog_limit);
	238	+ if (printk_ratelimit())
	239	+ printk(KERN_WARNING
	240	+ "audit: audit_lost=%d audit_rate_limit=%d "
	241	+ "audit_backlog_limit=%d\n",
	242	+ atomic_read(&audit_lost),
	243	+ audit_rate_limit,
	244	+ audit_backlog_limit);
242	245	audit_panic(message);
243	246	}
244	247	}
...	...	@@ -352,7 +355,11 @@
352	355	audit_pid = 0;
353	356	}
354	357	} else {
355		- printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0));
	358	+ if (printk_ratelimit())
	359	+ printk(KERN_NOTICE "%s\n", skb->data +
	360	+ NLMSG_SPACE(0));
	361	+ else
	362	+ audit_log_lost("printk limit exceeded\n");
356	363	kfree_skb(skb);
357	364	}
358	365	} else {
...	...	@@ -1066,7 +1073,7 @@
1066	1073	remove_wait_queue(&audit_backlog_wait, &wait);
1067	1074	continue;
1068	1075	}
1069		- if (audit_rate_check())
	1076	+ if (audit_rate_check() && printk_ratelimit())
1070	1077	printk(KERN_WARNING
1071	1078	"audit: audit_backlog=%d > "
1072	1079	"audit_backlog_limit=%d\n",
1073	1080
...	...	@@ -1349,9 +1356,11 @@
1349	1356	skb_queue_tail(&audit_skb_queue, ab->skb);
1350	1357	ab->skb = NULL;
1351	1358	wake_up_interruptible(&kauditd_wait);
1352		- } else {
	1359	+ } else if (printk_ratelimit()) {
1353	1360	struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
1354	1361	printk(KERN_NOTICE "type=%d %s\n", nlh->nlmsg_type, ab->skb->data + NLMSG_SPACE(0));
	1362	+ } else {
	1363	+ audit_log_lost("printk limit exceeded\n");
1355	1364	}
1356	1365	}
1357	1366	audit_buffer_free(ab);