From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [PATCH V3 1/2] audit: stop an old auditd being starved out by a new auditd Date: Tue, 22 Dec 2015 18:47:31 -0500 Message-ID: <12732944.9anvqpPt2P@sifl> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Richard Guy Briggs Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, sgrubb@redhat.com, eparis@redhat.com, v.rathor@gmail.com, ctcard@hotmail.com List-Id: linux-audit@redhat.com On Tuesday, December 22, 2015 04:03:06 AM Richard Guy Briggs wrote: > Nothing prevents a new auditd starting up and replacing a valid > audit_pid when an old auditd is still running, effectively starving out > the old auditd since audit_pid no longer points to the old valid auditd. > > If no message to auditd has been attempted since auditd died unnaturally > or got killed, audit_pid will still indicate it is alive. There isn't > an easy way to detect if an old auditd is still running on the existing > audit_pid other than attempting to send a message to see if it fails. > An -ECONNREFUSED almost certainly means it disappeared and can be > replaced. Other errors are not so straightforward and may indicate > transient problems that will resolve themselves and the old auditd will > recover. Yet others will likely need manual intervention for which a > new auditd will not solve the problem. > > Send a new message type (AUDIT_REPLACE) to the old auditd containing a > u32 with the PID of the new auditd. If the audit replace message > succeeds (or doesn't fail with certainty), fail to register the new > auditd and return an error (-EEXIST). > > This is expected to make the patch preventing an old auditd orphaning a > new auditd redundant. > > V3: Switch audit message type from 1000 to 1300 block. > > Signed-off-by: Richard Guy Briggs > --- > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 16 +++++++++++++++- > 2 files changed, 16 insertions(+), 1 deletions(-) Applied to my audit next queue for after the merge window, thanks. > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 843540c..d820aa9 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -110,6 +110,7 @@ > #define AUDIT_SECCOMP 1326 /* Secure Computing event */ > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */ > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes */ > +#define AUDIT_REPLACE 1329 /* Replace auditd if this packet unanswerd */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/audit.c b/kernel/audit.c > index 36989a1..0368be2 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -809,6 +809,16 @@ static int audit_set_feature(struct sk_buff *skb) > return 0; > } > > +static int audit_replace(pid_t pid) > +{ > + struct sk_buff *skb = audit_make_reply(0, 0, AUDIT_REPLACE, 0, 0, > + &pid, sizeof(pid)); > + > + if (!skb) > + return -ENOMEM; > + return netlink_unicast(audit_sock, skb, audit_nlk_portid, 0); > +} > + > static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > { > u32 seq; > @@ -870,9 +880,13 @@ static int audit_receive_msg(struct sk_buff *skb, > struct nlmsghdr *nlh) } > if (s.mask & AUDIT_STATUS_PID) { > int new_pid = s.pid; > + pid_t requesting_pid = task_tgid_vnr(current); > > - if ((!new_pid) && (task_tgid_vnr(current) != audit_pid)) > + if ((!new_pid) && (requesting_pid != audit_pid)) > return -EACCES; > + if (audit_pid && new_pid && > + audit_replace(requesting_pid) != -ECONNREFUSED) > + return -EEXIST; > if (audit_enabled != AUDIT_OFF) > audit_log_config_change("audit_pid", new_pid, audit_pid, 1); > audit_pid = new_pid; -- paul moore security @ redhat