From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [PATCH V1] audit: add warning that an old auditd may be starved out by a new auditd Date: Wed, 09 Sep 2015 16:50:48 -0400 Message-ID: <4246819.OGLW0CmS4i@sifl> References: <5e786f07b6d8a19927c70345c14bd1a452164d38.1441644314.git.rgb@redhat.com> <20150907165818.GH8140@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Return-path: In-Reply-To: <20150907165818.GH8140@madcap2.tricolour.ca> Sender: linux-kernel-owner@vger.kernel.org To: Richard Guy Briggs Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, sgrubb@redhat.com, eparis@redhat.com, v.rathor@gmail.com, ctcard@hotmail.com List-Id: linux-audit@redhat.com On Monday, September 07, 2015 12:58:18 PM Richard Guy Briggs wrote: > On 15/09/07, Richard Guy Briggs wrote: > > Nothing prevents a new auditd starting up and replacing a valid > > audit_pid when an old auditd is still running, effectively starving out > > the old auditd since audit_pid no longer points to the old valid auditd. > > > > There isn't an easy way to detect if an old auditd is still running on > > the existing audit_pid other than attempting to send a message to see if > > it fails. If no message to auditd has been attempted since auditd died > > unnaturally or got killed, audit_pid will still indicate it is alive. > > > > Signed-off-by: Richard Guy Briggs > > Ok, self-nack on this one for a couple of problems... > netlink_getsockbyportid() is static to af_netlink.c and "pid" should be > task_tgid_vnr(current). Otherwise, any opinions on this approach? > > > --- > > Note: Would it be too bold to actually block the registration of a new > > auditd if the netlink_getsockbyportid() call succeeded? Would other > > checks be appropriate? Hmm. It seems like we should prevent the registration of a new auditd if we already have an auditd instance connected, although as you say, that isn't the easiest thing to do. How painful would it be to return -EAGAIN to the new auditd while sending some sort of keep-alive/ping/etc. message to the old daemon to check its status? -- paul moore security @ redhat