diff options
| author | Mark Salyzyn | 2017-01-03 16:00:19 -0600 |
|---|---|---|
| committer | Mark Salyzyn | 2017-01-04 16:46:58 -0600 |
| commit | 247d682fe1b0dd4c8f149b7f5c89c546df17873a (patch) | |
| tree | d11ddcf98311274cb4612f41b506ebbc9c0b4a3b /logd/libaudit.c | |
| parent | fe05f1cde4fd812bbb20a39d37ee7be6b95402c3 (diff) | |
| download | platform-system-core-247d682fe1b0dd4c8f149b7f5c89c546df17873a.tar.gz platform-system-core-247d682fe1b0dd4c8f149b7f5c89c546df17873a.tar.xz platform-system-core-247d682fe1b0dd4c8f149b7f5c89c546df17873a.zip | |
logd: sepolicy dynamic rate limiting
Processing overhead for selinux violation messages is costly. We want
to deal with bursts of violations, but we have no intent of allowing
that sustained burst to go unabated as there is a cost of processing
and battery usage.
Tunables in libaudit.h are:
AUDIT_RATE_LIMIT_DEFAULT 20 /* acceptable burst rate */
AUDIT_RATE_LIMIT_BURST_DURATION 10 /* number of seconds of burst */
AUDIT_RATE_LIMIT_MAX 5 /* acceptable sustained rate */
Since we can only asymptotically handle DEFAULT rate, we set an upper
threshold of half way between the MAX and DEFAULT rate.
Default kernel audit subsystem message rate is set to 20 a second.
If sepolicy exceeds 125 violation messages over up to ten seconds
(>=~12/s), tell kernel audit subsystem to drop the rate to 5 messages
a second. If rate drops below 50 messages over the past ten seconds
(<5/s), tell kernel it is ok to increase the burst rate back to 20
messages a second.
Test: gTest logd-unit-tests --gtest_filter=logd.sepolicy_rate_limiter_*
Bug: 27878170
Change-Id: I843f8dcfbb3ecfbbe94a4865ea332c858e3be7f2
Diffstat (limited to 'logd/libaudit.c')
| -rw-r--r-- | logd/libaudit.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/logd/libaudit.c b/logd/libaudit.c index d2b212ee4..216f1a18c 100644 --- a/logd/libaudit.c +++ b/logd/libaudit.c | |||
| @@ -149,7 +149,7 @@ out: | |||
| 149 | return rc; | 149 | return rc; |
| 150 | } | 150 | } |
| 151 | 151 | ||
| 152 | int audit_setup(int fd, uint32_t pid) | 152 | int audit_setup(int fd, pid_t pid) |
| 153 | { | 153 | { |
| 154 | int rc; | 154 | int rc; |
| 155 | struct audit_message rep; | 155 | struct audit_message rep; |
| @@ -163,8 +163,7 @@ int audit_setup(int fd, uint32_t pid) | |||
| 163 | * and the the mask set to AUDIT_STATUS_PID | 163 | * and the the mask set to AUDIT_STATUS_PID |
| 164 | */ | 164 | */ |
| 165 | status.pid = pid; | 165 | status.pid = pid; |
| 166 | status.mask = AUDIT_STATUS_PID | AUDIT_STATUS_RATE_LIMIT; | 166 | status.mask = AUDIT_STATUS_PID; |
| 167 | status.rate_limit = 20; // audit entries per second | ||
| 168 | 167 | ||
| 169 | /* Let the kernel know this pid will be registering for audit events */ | 168 | /* Let the kernel know this pid will be registering for audit events */ |
| 170 | rc = audit_send(fd, AUDIT_SET, &status, sizeof(status)); | 169 | rc = audit_send(fd, AUDIT_SET, &status, sizeof(status)); |
| @@ -187,6 +186,27 @@ int audit_setup(int fd, uint32_t pid) | |||
| 187 | return 0; | 186 | return 0; |
| 188 | } | 187 | } |
| 189 | 188 | ||
| 189 | int audit_rate_limit(int fd, unsigned rate_limit) | ||
| 190 | { | ||
| 191 | int rc; | ||
| 192 | struct audit_message rep; | ||
| 193 | struct audit_status status; | ||
| 194 | |||
| 195 | memset(&status, 0, sizeof(status)); | ||
| 196 | |||
| 197 | status.mask = AUDIT_STATUS_RATE_LIMIT; | ||
| 198 | status.rate_limit = rate_limit; /* audit entries per second */ | ||
| 199 | |||
| 200 | rc = audit_send(fd, AUDIT_SET, &status, sizeof(status)); | ||
| 201 | if (rc < 0) { | ||
| 202 | return rc; | ||
| 203 | } | ||
| 204 | |||
| 205 | audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); | ||
| 206 | |||
| 207 | return 0; | ||
| 208 | } | ||
| 209 | |||
| 190 | int audit_open() | 210 | int audit_open() |
| 191 | { | 211 | { |
| 192 | return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT); | 212 | return socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT); |