From mboxrd@z Thu Jan  1 00:00:00 1970
From: Linda Knippers <linda.knippers@hp.com>
Subject: Re: audit_pid with multiple userspace auditd processes
Date: Wed, 07 Jan 2009 17:04:35 -0500
Message-ID: <496526F3.2070609@hp.com>
References: <1231364199.31089.61.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1231364199.31089.61.camel@localhost.localdomain>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Eric Paris wrote:
> So I noticed today something strange, but maybe not wrong?
> 
> lets say userspace starts 2 copies of auditd.  

Will a second auditd actually start?  Seems like it shouldn't.

> Then they kill the first
> copy.  The kernel at that point thinks there is no userspace auditd
> running and will instead send things to dmesg
> 
> We could fix it by changing the handling in audit_receive_msg to reject
> setting the audit_pid to 0 if the current audit_nlk_pid !=
> NETLINK_CB(skb).pid.
> 
> It's not a big deal, maybe we just call results of audit with multiple
> userspace auditd's running at the same time a undefined and not care.

I think its something to be avoided.  Can the 2nd auditd exit if
there already is one?

-- ljk
> 
> Anyone think that's worth a patch?
> 
> -Eric
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit