Make queue depth user configurable

Introduced a configurable queue depth in the audisp-af_unix plugin
by defining a default of 800 and allowing an optional numeric argument
to override it.

Clarified af_unix.conf to describe the optional fourth queue-depth
argument and provided an example showing how to override the default.

Updated the plugin’s man page to document the optional queue depth
parameter and its default value of 800.

Author: stevegrubb

audisp/plugins/af_unix/af_unix.conf

@@ -1,11 +1,14 @@
 # This file controls the configuration of the
 # af_unix socket plugin. It simply takes events
 # and writes them to a unix domain socket. This
-# plugin can take 2 arguments, the path for the
-# socket and the socket permissions in octal.
+# plugin can take up to 4 arguments: the socket
+# permissions in octal, the path for the socket,
+# the output format, and optionally the queue depth.
 
 active = no
 path = /sbin/audisp-af_unix
 type = always
 args = 0640 /run/audit/audispd_events string
+# To change the queue depth from the default of 800, append the value:
+# args = 0640 /run/audit/audispd_events string 1000
 format = binary

audisp/plugins/af_unix/audisp-af_unix.8

@@ -9,7 +9,7 @@ audisp-af_unix \- plugin to push audit events to an af_unix socket
 .B args
 line of the 
 .B af_unix.conf
-file expects three arguments: access mode, socket path, and output format. The access mode determines the permissions for the socket and defaults to 0640. The socket path specifies where the socket will be created, with the default location being /run/audit/audispd_events. The output format determines the format in which events are delivered to the socket and supports two options: "string" and "binary". The "string" format delivers events in a human-readable form, while the "binary" format delivers events in their binary representation, which is essential for applications that need to process events in binary and reconstruct headers accurately. If the output format is not specified, the plugin defaults to the "string" format.
+file expects three arguments: access mode, socket path, and output format, and optionally a fourth argument specifying the queue depth. The access mode determines the permissions for the socket and defaults to 0640. The socket path specifies where the socket will be created, with the default location being /run/audit/audispd_events. The output format determines the format in which events are delivered to the socket and supports two options: "string" and "binary". The "string" format delivers events in a human-readable form, while the "binary" format delivers events in their binary representation, which is essential for applications that need to process events in binary and reconstruct headers accurately. If the output format is not specified, the plugin defaults to the "string" format. If no queue depth is specified, it defaults to 800.
 
 The
 .B af_unix.conf

audisp/plugins/af_unix/audisp-af_unix.c

@@ -69,9 +69,10 @@ int inbound_protocol = -1;
 static struct mallinfo2 last_mi;
 #endif
 
-#define QUEUE_DEPTH 800
+#define DEFAULT_QUEUE_DEPTH 800
 #define QUEUE_ENTRY_SIZE MAX_AUDIT_EVENT_FRAME_SIZE+1
 
+static size_t queue_depth = DEFAULT_QUEUE_DEPTH;
 static struct queue *queue;
 static const unsigned char *out_buf;
 static size_t out_len;
@@ -194,14 +195,25 @@ int setup_socket(int argc, char *argv[])
 	for (int i = 1; i < argc; i++) {
 		char *arg = argv[i];
 		if (isdigit((unsigned char)arg[0])) {
-			// parse mode
 			errno = 0;
-			mode = strtoul(arg, NULL, 8);
-			if (errno) {
-				syslog(LOG_ERR,
-				       "Error converting %s (%s)",
-				       argv[i], strerror(errno));
-				mode = 0;
+			if (mode == 0) {
+				// parse mode
+				mode = strtoul(arg, NULL, 8);
+				if (errno) {
+					syslog(LOG_ERR,
+						"Error converting %s (%s)",
+						argv[i], strerror(errno));
+					mode = 0;
+				}
+			} else {
+				// parse queue depth
+				queue_depth = strtoul(arg, NULL, 10);
+				if (errno || queue_depth == 0) {
+					syslog(LOG_ERR,
+						"Error converting %s (%s)",
+						argv[i], strerror(errno));
+					queue_depth = DEFAULT_QUEUE_DEPTH;
+				}
 			}
 		} else if (strchr(arg, '/') != NULL) {
 			// parse path
@@ -254,6 +266,8 @@ int setup_socket(int argc, char *argv[])
 			syslog(LOG_INFO, "Using default format");
 		}
 	}
+	if (queue_depth == DEFAULT_QUEUE_DEPTH)
+		syslog(LOG_INFO, "Using default queue depth");
 
 	return create_af_unix_socket(path, mode);
 }
@@ -660,7 +674,7 @@ int main(int argc, char *argv[])
 		syslog(LOG_WARNING, "audisp-af_unix plugin was unable to "
 		       "drop capabilities, continuing with elevated priviles");
 #endif
-	queue = q_open(QUEUE_DEPTH, QUEUE_ENTRY_SIZE);
+	queue = q_open(queue_depth, QUEUE_ENTRY_SIZE);
 	if (queue == NULL) {
 		syslog(LOG_ERR, "Unable to create queue (%s)",
 		       strerror(errno));