From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: listening to /dev/audit in a pthread program Date: Fri, 20 Apr 2007 18:45:27 -0400 Message-ID: <200704201845.27504.paul.moore@hp.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l3KMjuGC015460 for ; Fri, 20 Apr 2007 18:45:56 -0400 Received: from atlrel8.hp.com (atlrel8.hp.com [156.153.255.206]) by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l3KMjt5B009307 for ; Fri, 20 Apr 2007 18:45:55 -0400 In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: paul moore Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, April 20 2007 6:35:34 pm paul moore wrote: > I have an test app that quite happily does an audit_set_pid and then sits > there reading /dev/audit. > > It works fine if its in the lead thread. But when I run the same code in my > real app it runs in a different thread. No matter what PID I pass to the > audit subsystem it complains that nobody is listening > > I did audit_set_pid(....getpid...) - no (passes the pid of the manager > thread) > I did audit_set_pid(....gettid...) - no (passes the pid of the LWP) > > (I dont really mean I did gettid - I did syscall(_NR_gettid)) > > I can see in the complaint message that I have given it the pid I intended > to. > I can see in gdb that my LWP id is the same as the one I send to the audit > subsystem - ie gettid worked. > > Is this a known issue? A little more information would be helpful, such as distribution (I'm guessing SuSE?), kernel version, audit userspace version, etc. -Paul "The Other One" Moore -- paul moore linux security @ hp