[PATCH 1/2] fix auditctl -D

[PATCH 1/2] fix auditctl -D

[Joy Latten]

The fix for the problem of auditctl -D not working
consists of two patches. One is the userspace patch
and the other is for the kernel.

Below is the userspace patch. I added AUDIT_DEL_ALL flag.

Regards,
Joy

diff -urpN audit-1.1.5.orig/lib/msg_typetab.h audit-1.1.5/lib/msg_typetab.h
--- audit-1.1.5.orig/lib/msg_typetab.h	2006-04-27 15:46:56.000000000 -0500
+++ audit-1.1.5/lib/msg_typetab.h	2006-04-28 09:53:13.000000000 -0500
@@ -31,6 +31,7 @@
 //_S(AUDIT_LIST,                     "LIST"                          )
 //_S(AUDIT_ADD,                      "ADD"                           )
 //_S(AUDIT_DEL,                      "DEL"                           )
+//_S(AUDIT_DEL_ALL,                  "DEL_ALL"                       )
 _S(AUDIT_USER,                       "USER"                          )
 _S(AUDIT_LOGIN,                      "LOGIN"                         )
 //_S(AUDIT_SIGNAL_INFO,              "SIGNAL_INFO"                   )
diff -urpN audit-1.1.5.orig/src/auditctl.c audit-1.1.5/src/auditctl.c
--- audit-1.1.5.orig/src/auditctl.c	2006-04-27 15:46:56.000000000 -0500
+++ audit-1.1.5/src/auditctl.c	2006-04-28 09:51:06.000000000 -0500
@@ -1104,62 +1104,12 @@ static int audit_print_reply(struct audi
 /* Returns 0 for success and -1 for failure */
 static int delete_all_rules(void)
 {
-	int seq, i;
-	int timeout = 40; /* tenths of seconds */
-	struct audit_reply rep;
-	fd_set read_mask;
+	int rc = 0;
 
-	/* list the rules */
-	seq = audit_request_rules_list(fd);
-	if (seq <= 0) 
+	rc = audit_send(fd, AUDIT_DEL_ALL, NULL, 0);
+	if (rc < 0) {
+		fprintf(stderr, "Error deleting rule (%s)\n", strerror(-rc));
 		return -1;
-
-	FD_ZERO(&read_mask);
-	FD_SET(fd, &read_mask);
-
-	for (i = 0; i < timeout; i++) {
-		struct timeval t;
-		int rc;
-
-		t.tv_sec  = 0;
-		t.tv_usec = 100000; /* .1 second */
-		do {
-			rc = select(fd+1, &read_mask, NULL, NULL, &t);
-		} while (rc < 0 && errno == EINTR);
-		// We'll try to read just in case
-		rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
-		if (rc > 0) {
-			/* Reset timeout */
-			i = 0;
-
-			/* Don't make decisions based on wrong packet */
-			if (rep.nlh->nlmsg_seq != seq)
-				continue;
-
-			/* If we get done or error, break out */
-			if (rep.type == NLMSG_DONE)
-				break;
-
-			if (rep.type == NLMSG_ERROR && rep.error->error) {
-				fprintf(stderr, 
-					"Error receiving rules list (%s)\n", 
-					strerror(-rep.error->error));
-				return -1;
-			}
-
-			/* If its not what we are expecting, keep looping */
-			if (rep.type != AUDIT_LIST)
-				continue;
-
-			/* Found it, bounce it right back with delete */
-			rc = audit_send(fd, AUDIT_DEL, rep.rule, 
-					sizeof(struct audit_rule));
-			if (rc < 0) {
-				fprintf(stderr, "Error deleting rule (%s)\n",
-					strerror(-rc)); 
-				return -1;
-			}
-		}
 	}
 
 	return 0;

Re: [PATCH 1/2] fix auditctl -D

[Steve Grubb]

On Friday 28 April 2006 18:35, Joy Latten wrote:
> The fix for the problem of auditctl -D not working
> consists of two patches. One is the userspace patch
> and the other is for the kernel.

Joy,

Thanks for sending this patch. I will add a variation of this to the auditctl 
source. The problem is that if someone uses new tools on old kernels, it 
won't work. 

I have been coding up a patch that catches all the rules as a linked list and 
then bounces them back to the kernel after the download is complete. This 
solves the same problem for older kernels. After the kernel hits 2.6.20 or 
something like that, I'll switchover completely to your patch.

-Steve

Re: [PATCH 1/2] fix auditctl -D

[Steve Grubb]

On Friday 28 April 2006 18:35, Joy Latten wrote:
> The fix for the problem of auditctl -D not working
> consists of two patches. One is the userspace patch
> and the other is for the kernel.

We still have a problem. This patch works around the problem but its still 
there. The problem is that getting a list results in ENOBUFS. This causes
"delete all" to fail. This patch avoids that problem because the list internal
to the kernel gets deleted. But what if you just want to list all the rules?
You still get a ENOBUFS.

execve("/home/sgrubb/working/BUILD/audit-1.2.2/src/auditctl"
...
socket(PF_NETLINK, SOCK_RAW, 9)         = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
sendto(3, "\20\0\0\0\365\3\5\0\1\0\0\0\0\0\0\0", 16, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16
poll([{fd=3, events=POLLIN, revents=POLLIN|POLLERR}], 1, 100) = 1
recvfrom(3, 0x7fff2a895330, 8476, 66, 0x7fff2a893170, 0x7fff2a89317c) = -1 ENOBUFS (No buffer space available)
write(2, "Error receiving audit netlink pa"..., 64Error receiving audit netlink packet (No buffer space available)) = 64
write(2, "\n", 1)                       = 1
write(2, "Error sending rule list request "..., 59Error sending rule list request (No buffer space available)) = 59
write(2, "\n", 1)                       = 1
close(3)                                = 0
exit_group(-1)                          = ?
Process 2608 detached

The very first recvfrom returns the error. The kernel needs to see that 
its about to fill the netlink buffers and reschedule the listing thread until
user space can drain the buffers. So, while -D is solved by this patch,
-l is not.

-Steve