From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH 1/2] fix auditctl -D
Date: Tue, 2 May 2006 15:44:36 -0400
Message-ID: <200605021544.36626.sgrubb@redhat.com>
References: <200604282235.k3SMZi02002180@faith.austin.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200604282235.k3SMZi02002180@faith.austin.ibm.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 28 April 2006 18:35, Joy Latten wrote:
> The fix for the problem of auditctl -D not working
> consists of two patches. One is the userspace patch
> and the other is for the kernel.

We still have a problem. This patch works around the problem but its still 
there. The problem is that getting a list results in ENOBUFS. This causes
"delete all" to fail. This patch avoids that problem because the list internal
to the kernel gets deleted. But what if you just want to list all the rules?
You still get a ENOBUFS.

execve("/home/sgrubb/working/BUILD/audit-1.2.2/src/auditctl"
...
socket(PF_NETLINK, SOCK_RAW, 9)         = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
sendto(3, "\20\0\0\0\365\3\5\0\1\0\0\0\0\0\0\0", 16, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
poll([{fd=3, events=POLLIN, revents=POLLIN|POLLERR}], 1, 100) = 1
recvfrom(3, 0x7fff2a895330, 8476, 66, 0x7fff2a893170, 0x7fff2a89317c) = -1 ENOBUFS (No buffer space available)
write(2, "Error receiving audit netlink pa"..., 64Error receiving audit netlink packet (No buffer space available)) = 64
write(2, "\n", 1)                       = 1
write(2, "Error sending rule list request "..., 59Error sending rule list request (No buffer space available)) = 59
write(2, "\n", 1)                       = 1
close(3)                                = 0
exit_group(-1)                          = ?
Process 2608 detached

The very first recvfrom returns the error. The kernel needs to see that 
its about to fill the netlink buffers and reschedule the listing thread until
user space can drain the buffers. So, while -D is solved by this patch,
-l is not.

-Steve