Re: [PATCH] Audit: netlink socket can be auto-bound to pid other than current->pid

From: Eric Paris
Date: Wed Mar 19 2008 - 16:19:42 EST

Next message: Glauber de Oliveira Costa: "[PATCH 66/79] [PATCH] merge smp_prepare_boot_cpu"
Previous message: Glauber de Oliveira Costa: "[PATCH 48/79] [PATCH] boot cpus from cpu_up, instead of prepare_cpus"
In reply to: Pavel Emelyanov: "Re: [PATCH] Audit: netlink socket can be auto-bound to pid otherthan current->pid"
Next in thread: Eric Paris: "Re: [PATCH] Audit: netlink socket can be auto-bound to pid other than current->pid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/19/08, Pavel Emelyanov <xemul@xxxxxxxxxx> wrote:
> Eric Paris wrote:
> > On 3/18/08, Pavel Emelyanov <xemul@xxxxxxxxxx> wrote:
> >
> > Can we please just leave audit_pid as the one flag to tell us if
> > auditd is supposedly up there in userspace? Use audit_nlk_pid to send
> > messages to the right place, but leave everything else to do with
> > audit_pid alone.
>
>
> OK, point taken ;) Is that patch looks OK? If yes, I'll comment
> it properly and re-send to Andrew.
>
> The audit_nlk_pid reset to 0 is not required, since all the
> decisions are taken based on audit_pid value only.

I looks good to me. Feel free to add Acked-by: Eric Paris
<eparis@xxxxxxxxxx> on your submission.

-Eric

>
> Signed-off-by: Pavel Emelyanov <xemul@xxxxxxxxxx>
>
>
> diff --git a/kernel/audit.c b/kernel/audit.c
>
> index ccc7d0e..12a0278 100644
>
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
>
> @@ -77,9 +77,13 @@ static int audit_default;
>
> /* If auditing cannot proceed, audit_failure selects what happens. */
> static int audit_failure = AUDIT_FAIL_PRINTK;
>
> -/* If audit records are to be written to the netlink socket, audit_pid
>
> - * contains the (non-zero) pid. */
> +/*
> + * If audit records are to be written to the netlink socket, audit_pid
> + * contains the pid of the auditd process and audit_nlk_pid contains
> + * the pid to use to send netlink messages to that process.
> + */
> int audit_pid;
>
> +static int audit_nlk_pid;
>
>
> /* If audit_rate_limit is non-zero, limit the rate of sending audit records
>
> * to that number per second. This prevents DoS attacks, but results in
> @@ -349,7 +353,7 @@ static int kauditd_thread(void *dummy)
>
> wake_up(&audit_backlog_wait);
> if (skb) {
> if (audit_pid) {
> - int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
>
> + int err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
>
> if (err < 0) {
> BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
> printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
>
> @@ -626,6 +630,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>
> sid, 1);
>
> audit_pid = new_pid;
> + audit_nlk_pid = NETLINK_CB(skb).pid;
> }
> if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
> err = audit_set_rate_limit(status_get->rate_limit,
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Glauber de Oliveira Costa: "[PATCH 66/79] [PATCH] merge smp_prepare_boot_cpu"
Previous message: Glauber de Oliveira Costa: "[PATCH 48/79] [PATCH] boot cpus from cpu_up, instead of prepare_cpus"
In reply to: Pavel Emelyanov: "Re: [PATCH] Audit: netlink socket can be auto-bound to pid otherthan current->pid"
Next in thread: Eric Paris: "Re: [PATCH] Audit: netlink socket can be auto-bound to pid other than current->pid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]