From: Paul Moore <pmoore@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
sgrubb@redhat.com, eparis@redhat.com, v.rathor@gmail.com,
ctcard@hotmail.com
Subject: Re: [PATCH 1/2] audit: stop an old auditd being starved out by a new auditd
Date: Tue, 29 Sep 2015 18:24:01 -0400 [thread overview]
Message-ID: <1548526.T3Zes7BSZE@sifl> (raw)
In-Reply-To: <20150929043611.GC22712@madcap2.tricolour.ca>
On Tuesday, September 29, 2015 12:36:11 AM Richard Guy Briggs wrote:
> On 15/09/28, Paul Moore wrote:
> > On Monday, September 28, 2015 07:17:31 AM Richard Guy Briggs wrote:
...
> >
> > > So, I believ audit_make_reply() can be used just fine, setting portid,
> > > seq, done and multi to zero.
> >
> > The 'multi' flag should definitely be set to zero, 'seq' is fine at zero,
> > but I think we can do better with 'portid'; we know the 'portid' value so
> > just use it in the call to audit_make_reply().
>
> Most other audit_log_start() created messages set portid to zero except
> user messages, and those are set using the initiating process' portid
> and not the destination id.
Sorry, I was confusing the portid in sockaddr_nl with the portid in the
nlmsghdr ... anyway, yes, the portid in the netlink header should always be
zero since it references the sender and not the destination and the kernel has
portid 0.
> > I don't like that we are reusing audit_make_reply() for non-reply netlink
> > messages, but I'll get over that. This will likely get a revamp when we
> > get around to a proper fix of the queuing system.
>
> This could even be renamed audit_make_message() and possibly be
> generalized to be useful to audit_log_start(), or rather
> audit_buffer_alloc(). Later...
Not exactly what I was thinking, but as I said, not worth worrying about right
now.
> > > Ok, how about AUDIT_HIJACK_TEST, with a payload of the u32
> > > representation of the PID of the task attempting to replace it.
> >
> > Why add the TEST? It is a hijack attempt, or at least it is if the record
> > is emitted successfully :) I would go simply with AUDIT_HIJACK or maybe
> > AUDIT_REPLACE (or similar) if "hijack" is a bit too inflammatory (it
> > probably is ...).
>
> I had actually named it AUDIT_REPLACE_TEST, but your repeated use of the
> term "hijack" swayed me... I'd still lean towards *_TEST since it is
> testing to replace a stale socket and not a live one.
While we are using the record for a test, that is not its only purpose and we
might arrive at a future need to indicate a "hijack" that isn't a test. Keep
the "hijack" if you want, remove the "test".
--
paul moore
security @ redhat
prev parent reply other threads:[~2015-09-29 22:24 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-18 7:59 [PATCH 1/2] audit: stop an old auditd being starved out by a new auditd Richard Guy Briggs
2015-09-18 7:59 ` [PATCH 2/2] audit: log failed attempts to change audit_pid configuration Richard Guy Briggs
2015-09-24 20:12 ` Paul Moore
2015-09-24 20:07 ` [PATCH 1/2] audit: stop an old auditd being starved out by a new auditd Paul Moore
2015-09-25 11:10 ` Richard Guy Briggs
2015-09-25 21:14 ` Paul Moore
2015-09-28 11:17 ` Richard Guy Briggs
2015-09-28 18:55 ` Paul Moore
2015-09-29 4:36 ` Richard Guy Briggs
2015-09-29 22:24 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1548526.T3Zes7BSZE@sifl \
--to=pmoore@redhat.com \
--cc=ctcard@hotmail.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
--cc=v.rathor@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).