Merge "logd: throttle SELinux denials to 20/sec"
diff --git a/logd/LogAudit.cpp b/logd/LogAudit.cpp
index 51feff3..ee2f32d 100644
--- a/logd/LogAudit.cpp
+++ b/logd/LogAudit.cpp
@@ -248,7 +248,7 @@
if (fd < 0) {
return fd;
}
- if (audit_set_pid(fd, getpid(), WAIT_YES) < 0) {
+ if (audit_setup(fd, getpid()) < 0) {
audit_close(fd);
fd = -1;
}
diff --git a/logd/libaudit.c b/logd/libaudit.c
index ca88d1b..d00d579 100644
--- a/logd/libaudit.c
+++ b/logd/libaudit.c
@@ -162,7 +162,7 @@
return rc;
}
-int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
+int audit_setup(int fd, uint32_t pid)
{
int rc;
struct audit_message rep;
@@ -176,7 +176,8 @@
* and the the mask set to AUDIT_STATUS_PID
*/
status.pid = pid;
- status.mask = AUDIT_STATUS_PID;
+ status.mask = AUDIT_STATUS_PID | AUDIT_STATUS_RATE_LIMIT;
+ status.rate_limit = 20; // audit entries per second
/* Let the kernel know this pid will be registering for audit events */
rc = audit_send(fd, AUDIT_SET, &status, sizeof(status));
@@ -188,24 +189,21 @@
/*
* In a request where we need to wait for a response, wait for the message
* and discard it. This message confirms and sync's us with the kernel.
- * This daemon is now registered as the audit logger. Only wait if the
- * wmode is != WAIT_NO
+ * This daemon is now registered as the audit logger.
+ *
+ * TODO
+ * If the daemon dies and restarts the message didn't come back,
+ * so I went to non-blocking and it seemed to fix the bug.
+ * Need to investigate further.
*/
- if (wmode != WAIT_NO) {
- /* TODO
- * If the daemon dies and restarts the message didn't come back,
- * so I went to non-blocking and it seemed to fix the bug.
- * Need to investigate further.
- */
- audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
- }
+ audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
return 0;
}
int audit_open()
{
- return socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+ return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
}
int audit_get_reply(int fd, struct audit_message *rep, reply_t block, int peek)
diff --git a/logd/libaudit.h b/logd/libaudit.h
index cb114f9..b9e330d 100644
--- a/logd/libaudit.h
+++ b/logd/libaudit.h
@@ -37,11 +37,6 @@
GET_REPLY_NONBLOCKING
} reply_t;
-typedef enum {
- WAIT_NO,
- WAIT_YES
-} rep_wait_t;
-
/* type == AUDIT_SIGNAL_INFO */
struct audit_sig_info {
uid_t uid;
@@ -92,12 +87,10 @@
* The fd returned by a call to audit_open()
* @param pid
* The pid whom to set as the reciever of audit messages
- * @param wmode
- * Whether or not to block on the underlying socket io calls.
* @return
* This function returns 0 on success, -errno on error.
*/
-extern int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode);
+extern int audit_setup(int fd, uint32_t pid);
__END_DECLS