listening to /dev/audit in a pthread program

listening to /dev/audit in a pthread program

[paul moore]

I have an test app that quite happily does an audit_set_pid and then sits
there reading /dev/audit.
 
It works fine if its in the lead thread. But when I run the same code in my
real app it runs in a different thread. No matter what PID I pass to the
audit subsystem it complains that nobody is listening
 
I did audit_set_pid(....getpid...) - no (passes the pid of the manager
thread)
I did audit_set_pid(....gettid...) - no (passes the pid of the LWP)
 
(I dont really mean I did gettid - I did syscall(_NR_gettid))

I can see in the complaint message that I have given it the pid I intended
to. 
I can see in gdb that my LWP id is the same as the one I send to the audit
subsystem - ie gettid worked.
 
Is this a known issue?

Heres the code snippet

void listen()
{

    // register for events
  	pid_t mytid = (pid_t)syscall(__NR_gettid);
      int res = audit_set_pid(m_auditFD, mytid, WAIT_YES);


    res = audit_set_enabled(m_auditFD, 1);
    assert(res >= 0);

    static audit_reply reply;

    while (true)
    {
        res = audit_get_reply(m_auditFD, &reply, GET_REPLY_BLOCKING, 0);
        if (res < 0)
	{
		printf("exit audit %d %d\n", res, errno);
            break;
		}
        printf("got event %.*s\n", reply.msg.nlh.nlmsg_len, reply.msg.data);

    }
}

The thread sits waiting on the audit_get_reply call, so the FD is open

Re: listening to /dev/audit in a pthread program

[Paul Moore]

On Friday, April 20 2007 6:35:34 pm paul moore wrote:
> I have an test app that quite happily does an audit_set_pid and then sits
> there reading /dev/audit.
>
> It works fine if its in the lead thread. But when I run the same code in my
> real app it runs in a different thread. No matter what PID I pass to the
> audit subsystem it complains that nobody is listening
>
> I did audit_set_pid(....getpid...) - no (passes the pid of the manager
> thread)
> I did audit_set_pid(....gettid...) - no (passes the pid of the LWP)
>
> (I dont really mean I did gettid - I did syscall(_NR_gettid))
>
> I can see in the complaint message that I have given it the pid I intended
> to.
> I can see in gdb that my LWP id is the same as the one I send to the audit
> subsystem - ie gettid worked.
>
> Is this a known issue?

A little more information would be helpful, such as distribution (I'm guessing 
SuSE?), kernel version, audit userspace version, etc.

-Paul "The Other One" Moore

-- 
paul moore
linux security @ hp

RE: listening to /dev/audit in a pthread program

[paul moore]

Sorry

Redhat es4 x86 monoproc
Kernel 2.6.9-34.EL
Audit 1.0.12-1.EL4 
gcc 3.4.5 (redhat's)

-----Original Message-----
From: Paul Moore [mailto:paul.moore@hp.com] 
Sent: Friday, April 20, 2007 3:45 PM
To: paul moore
Cc: linux-audit@redhat.com
Subject: Re: listening to /dev/audit in a pthread program

On Friday, April 20 2007 6:35:34 pm paul moore wrote:
> I have an test app that quite happily does an audit_set_pid and then 
> sits there reading /dev/audit.
>
> It works fine if its in the lead thread. But when I run the same code 
> in my real app it runs in a different thread. No matter what PID I 
> pass to the audit subsystem it complains that nobody is listening
>
> I did audit_set_pid(....getpid...) - no (passes the pid of the manager
> thread)
> I did audit_set_pid(....gettid...) - no (passes the pid of the LWP)
>
> (I dont really mean I did gettid - I did syscall(_NR_gettid))
>
> I can see in the complaint message that I have given it the pid I 
> intended to.
> I can see in gdb that my LWP id is the same as the one I send to the 
> audit subsystem - ie gettid worked.
>
> Is this a known issue?

A little more information would be helpful, such as distribution (I'm
guessing SuSE?), kernel version, audit userspace version, etc.

-Paul "The Other One" Moore

--
paul moore
linux security @ hp

Re: listening to /dev/audit in a pthread program

[Steve Grubb]

On Friday 20 April 2007 18:35:34 paul moore wrote:
> I have an test app that quite happily does an audit_set_pid and then sits
> there reading /dev/audit.

There isn't a /dev/audit in linux.org kernels.

> It works fine if its in the lead thread. But when I run the same code in my
> real app it runs in a different thread. 

The important detail is where the audit_open call is made. Netlink want to 
send it to the same tid.

-Steve

RE: listening to /dev/audit in a pthread program

[paul moore]

(Ignore my comment about /dev/audit - I wasn't thinking, yes I call
audit_open)
Thanks

In fact I was wrong. In both cases the listener loop is in a secondary
thread (gotta read my own code more closely). The differntiator is where the
audit_open is called relative to the other threads.

So a bit more hacking based on your reply shows the real rule :-
The pid passed to audit_set_pid must be the pid that called audit_open not
the pid that's listening

Thanks agin. All working now


-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Friday, April 20, 2007 4:13 PM
To: linux-audit@redhat.com
Cc: paul moore
Subject: Re: listening to /dev/audit in a pthread program

On Friday 20 April 2007 18:35:34 paul moore wrote:
> I have an test app that quite happily does an audit_set_pid and then 
> sits there reading /dev/audit.

There isn't a /dev/audit in linux.org kernels.

> It works fine if its in the lead thread. But when I run the same code 
> in my real app it runs in a different thread.

The important detail is where the audit_open call is made. Netlink want to
send it to the same tid.

-Steve