From mboxrd@z Thu Jan 1 00:00:00 1970 From: Miloslav Trmac Subject: [patches] Implement mode=forward in audisp-remote Date: Sat, 19 Mar 2011 07:09:58 -0400 (EDT) Message-ID: <589201219.428058.1300532998458.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> References: <1864744184.428047.1300532843837.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_428057_448391106.1300532998455" Return-path: In-Reply-To: <1864744184.428047.1300532843837.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit List-Id: linux-audit@redhat.com ------=_Part_428057_448391106.1300532998455 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Hello, the attached patch series implements the store-and-forward mode in audisp-remote. In mode=forward, as audisp-remote receives audit records, it automatically writes them to a local file. Therefore neither an unexpected termination of audisp-remote nor problems with the remote server can cause loss of the audit records, and audisp-remote will try to resend all of the pending records before sending any later received audit record, or after restarting audisp-remote. (Note that loss of audit records is still possible in other cases, e.g. when the system crashes before the records are received by audisp-remote, or when the local queue file is corrupted.) Detailed description of the approach is included in the individual patches. Mirek ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=11-drop-event_t Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=11-drop-event_t Drop event_t, use a character buffer in main(). Memory allocation/deallocation becomes an internal matter of queue.c instead of the current transfers of memory ownership on enqueue() and peek_queue(). Index: audit/audisp/plugins/remote/audisp-remote.c =================================================================== --- audit.orig/audisp/plugins/remote/audisp-remote.c +++ audit/audisp/plugins/remote/audisp-remote.c @@ -340,7 +340,6 @@ static void do_overflow_action(void) int main(int argc, char *argv[]) { - event_t *e; struct sigaction sa; int rc, q_len; @@ -383,6 +382,7 @@ int main(int argc, char *argv[]) do { fd_set rfd; struct timeval tv; + char event[MAX_AUDIT_MESSAGE_LENGTH]; int n, fds = ifd + 1; /* Load configuration */ @@ -428,8 +428,7 @@ int main(int argc, char *argv[]) if (hup != 0 || stop != 0) continue; - e = (event_t *)malloc(sizeof(event_t)); - if (fgets_unlocked(e->data, MAX_AUDIT_MESSAGE_LENGTH, in)) { + if (fgets_unlocked(event, sizeof(event), in)) { if (!transport_ok && remote_ended && config.remote_ending_action == FA_RECONNECT) { quiet = 1; @@ -438,25 +437,20 @@ int main(int argc, char *argv[]) quiet = 0; } /* Strip out EOE records */ - if (strstr(e->data,"type=EOE msg=audit(")) { - free(e); + if (strstr(event,"type=EOE msg=audit(")) continue; - } - if (enqueue(e) != 0) + if (enqueue(event) != 0) do_overflow_action(); rc = 0; while (!suspend && rc >= 0 && transport_ok && - (e = peek_queue()) != NULL) { - rc = relay_event(e->data, - strnlen(e->data, + peek_queue(event, sizeof(event)) != 0) { + rc = relay_event(event, + strnlen(event, MAX_AUDIT_MESSAGE_LENGTH)); - if (rc >= 0) { - free(e); + if (rc >= 0) dequeue(); // delete it - } } - } else - free(e); + } if (feof(in)) break; } while (stop == 0); Index: audit/audisp/plugins/remote/queue.c =================================================================== --- audit.orig/audisp/plugins/remote/queue.c +++ audit/audisp/plugins/remote/queue.c @@ -600,43 +600,32 @@ int init_queue(remote_conf_t *config) return 0; } -int enqueue(event_t *e) +int enqueue(const char *data) { - int ret; - - if (q_append(q, e->data) == 0) - ret = 0; + if (q_append(q, data) == 0) + return 0; else if (errno == ENOSPC) - ret = -1; + return -1; else { queue_error(); - ret = 0; + return 0; } - free(e); - return ret; } -event_t *peek_queue(void) +int peek_queue(char *buf, size_t size) { - event_t *e; int r; - e = malloc(sizeof(*e)); - if (e == NULL) - goto err; - r = q_peek(q, e->data, sizeof(e->data)); - if (r == 0) { - free(e); - return NULL; - } + r = q_peek(q, buf, size); + if (r == 0) + return 0; if (r != 1) goto err; - return e; + return 1; err: queue_error(); - free(e); - return NULL; + return 0; } void dequeue(void) Index: audit/audisp/plugins/remote/queue.h =================================================================== --- audit.orig/audisp/plugins/remote/queue.h +++ audit/audisp/plugins/remote/queue.h @@ -28,15 +28,9 @@ #include "libaudit.h" #include "remote-config.h" -typedef struct event -{ - char data[MAX_AUDIT_MESSAGE_LENGTH]; -} event_t; - - int init_queue(remote_conf_t *config); -int enqueue(event_t *e); -event_t *peek_queue(void); +int enqueue(const char *data); +int peek_queue(char *buf, size_t); void dequeue(void); int queue_length(void); void destroy_queue(void); ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=12-fold-old-queue-interface Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=12-fold-old-queue-interface Rm9sZCBvbGQgcXVldWUgaW50ZXJmYWNlIGludG8gbWFpbigpCgphbmQgdXNlICJzdHJ1Y3QgcXVl dWUiIGluIG1haW4oKSBkaXJlY3RseS4KSW5kZXg6IGF1ZGl0L2F1ZGlzcC9wbHVnaW5zL3JlbW90 ZS9hdWRpc3AtcmVtb3RlLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gYXVkaXQub3JpZy9hdWRpc3AvcGx1Z2lu cy9yZW1vdGUvYXVkaXNwLXJlbW90ZS5jCisrKyBhdWRpdC9hdWRpc3AvcGx1Z2lucy9yZW1vdGUv YXVkaXNwLXJlbW90ZS5jCkBAIC01Niw2ICs1NiwxMCBAQAogI2RlZmluZSBDT05GSUdfRklMRSAi L2V0Yy9hdWRpc3AvYXVkaXNwLXJlbW90ZS5jb25mIgogI2RlZmluZSBCVUZfU0laRSAzMgogCisv KiBNQVhfQVVESVRfTUVTU0FHRV9MRU5HVEgsIGFsaWduZWQgdG8gNCBLQiBzbyB0aGF0IGFuIGF2 ZXJhZ2UgcV9hcHBlbmQoKSBvbmx5CisgICB3cml0ZXMgdG8gdHdvIGRpc2sgZGlzayBibG9ja3Mg KDEgYWxpZ25lZCBkYXRhIGJsb2NrLCAxIGhlYWRlciBibG9jaykuICovCisjZGVmaW5lIFFVRVVF X0VOVFJZX1NJWkUgKDMqNDA5NikKKwogLyogRXJyb3IgdHlwZXMgKi8KICNkZWZpbmUgRVRfU1VD Q0VTUwkgMAogI2RlZmluZSBFVF9QRVJNQU5FTlQJLTEKQEAgLTkzLDYgKzk3LDEyIEBAIGdzc19j dHhfaWRfdCBteV9jb250ZXh0OwogI2RlZmluZSBVU0VfR1NTIChjb25maWcuZW5hYmxlX2tyYjUp CiAjZW5kaWYKIAorLyogQ29tcGlsZS10aW1lIGV4cHJlc3Npb24gdmVyaWZpY2F0aW9uICovCisj ZGVmaW5lIHZlcmlmeShFKSBkbyB7CQkJCVwKKwkJY2hhciB2ZXJpZnlfX1soRSkgPyAxIDogLTFd OwlcCisJCSh2b2lkKXZlcmlmeV9fOwkJCVwKKwl9IHdoaWxlICgwKQorCiAvKgogICogU0lHVEVS TSBoYW5kbGVyCiAgKi8KQEAgLTI5NCw3ICszMDQsNyBAQCBzdGF0aWMgaW50IGdlbmVyaWNfcmVt b3RlX3dhcm5pbmdfaGFuZGxlCiB9CiAKIC8qIFJlcG9ydCBhbmQgaGFuZGxlIGEgcXVldWUgZXJy b3IsIHVzaW5nIGVycm5vLiAqLwotdm9pZCBxdWV1ZV9lcnJvcih2b2lkKQorc3RhdGljIHZvaWQg cXVldWVfZXJyb3Iodm9pZCkKIHsKIAljaGFyICplcnJub19zdHI7CiAJdmFfbGlzdCBhcDsKQEAg LTMzOCwxMCArMzQ4LDMxIEBAIHN0YXRpYyB2b2lkIGRvX292ZXJmbG93X2FjdGlvbih2b2lkKQog ICAgICAgICB9CiB9CiAKKy8qIEluaXRpYWxpemUgYW5kIHJldHVybiBhIHF1ZXVlIGRlcGVuZGlu ZyBvbiB1c2VyJ3MgY29uZmlndXJhdGlvbi4KKyAgIE9uIGVycm9yIHJldHVybiBOVUxMIGFuZCBz ZXQgZXJybm8uICovCitzdGF0aWMgc3RydWN0IHF1ZXVlICppbml0X3F1ZXVlKHZvaWQpCit7CisJ Y29uc3QgY2hhciAqcGF0aDsKKwlpbnQgcV9mbGFnczsKKworCWlmIChjb25maWcucXVldWVfZmls ZSAhPSBOVUxMKQorCQlwYXRoID0gY29uZmlnLnF1ZXVlX2ZpbGU7CisJZWxzZQorCQlwYXRoID0g Ii92YXIvbGliL2F1ZGl0ZC1yZW1vdGUvcXVldWUiOworCXFfZmxhZ3MgPSBRX0lOX01FTU9SWTsK KwlpZiAoY29uZmlnLm1vZGUgPT0gTV9TVE9SRV9BTkRfRk9SV0FSRCkKKwkJLyogRklYTUU6IGxl dCB1c2VyIGNvbnRyb2wgUV9TWU5DPyAqLworCQlxX2ZsYWdzIHw9IFFfSU5fRklMRSB8IFFfQ1JF QVQgfCBRX1JFU0laRTsKKwl2ZXJpZnkoUVVFVUVfRU5UUllfU0laRSA+PSBNQVhfQVVESVRfTUVT U0FHRV9MRU5HVEgpOworCXJldHVybiBxX29wZW4ocV9mbGFncywgcGF0aCwgY29uZmlnLnF1ZXVl X2RlcHRoLCBRVUVVRV9FTlRSWV9TSVpFKTsKK30KKwogaW50IG1haW4oaW50IGFyZ2MsIGNoYXIg KmFyZ3ZbXSkKIHsKIAlzdHJ1Y3Qgc2lnYWN0aW9uIHNhOwotCWludCByYywgcV9sZW47CisJc3Ry dWN0IHF1ZXVlICpxdWV1ZTsKKwlpbnQgcmM7CisJc2l6ZV90IHFfbGVuOwogCiAJLyogUmVnaXN0 ZXIgc2lnaGFuZGxlcnMgKi8KIAlzYS5zYV9mbGFncyA9IDA7CkBAIC0zNjgsOCArMzk5LDkgQEAg aW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkKIAlyYyA9IGluaXRfdHJhbnNwb3J0KCk7 CiAJaWYgKHJjID09IEVUX1BFUk1BTkVOVCkKIAkJcmV0dXJuIDE7Ci0JaWYgKGluaXRfcXVldWUo JmNvbmZpZykgIT0gMCkgewotCQlzeXNsb2coTE9HX0VSUiwgIkVycm9yIGluaXRpYWxpemluZyBh dWRpdCByZWNvcmQgcXVldWUiKTsKKwlxdWV1ZSA9IGluaXRfcXVldWUoKTsKKwlpZiAocXVldWUg PT0gTlVMTCkgeworCQlzeXNsb2coTE9HX0VSUiwgIkVycm9yIGluaXRpYWxpemluZyBhdWRpdCBy ZWNvcmQgcXVldWU6ICVtIik7CiAJCXJldHVybiAxOwogCX0KIApAQCAtNDM5LDE2ICs0NzEsMjgg QEAgaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkKIAkJCS8qIFN0cmlwIG91dCBFT0Ug cmVjb3JkcyAqLwogCQkJaWYgKHN0cnN0cihldmVudCwidHlwZT1FT0UgbXNnPWF1ZGl0KCIpKQog CQkJCWNvbnRpbnVlOwotCQkJaWYgKGVucXVldWUoZXZlbnQpICE9IDApCi0JCQkJZG9fb3ZlcmZs b3dfYWN0aW9uKCk7Ci0JCQlyYyA9IDA7Ci0JCQl3aGlsZSAoIXN1c3BlbmQgJiYgcmMgPj0gMCAm JiB0cmFuc3BvcnRfb2sgJiYKLQkJCSAgICAgICBwZWVrX3F1ZXVlKGV2ZW50LCBzaXplb2YoZXZl bnQpKSAhPSAwKSB7Ci0JCQkJcmMgPSByZWxheV9ldmVudChldmVudCwKKwkJCWlmIChxX2FwcGVu ZChxdWV1ZSwgZXZlbnQpICE9IDApIHsKKwkJCQlpZiAoZXJybm8gPT0gRU5PU1BDKQorCQkJCQlk b19vdmVyZmxvd19hY3Rpb24oKTsKKwkJCQllbHNlCisJCQkJCXF1ZXVlX2Vycm9yKCk7CisJCQl9 CisJCQl3aGlsZSAoIXN1c3BlbmQgJiYgdHJhbnNwb3J0X29rKSB7CisJCQkJcmMgPSBxX3BlZWso cXVldWUsIGV2ZW50LCBzaXplb2YoZXZlbnQpKTsKKwkJCQlpZiAocmMgPT0gMCkKKwkJCQkJYnJl YWs7CisJCQkJaWYgKHJjICE9IDEpIHsKKwkJCQkJcXVldWVfZXJyb3IoKTsKKwkJCQkJYnJlYWs7 CisJCQkJfQorCQkJCWlmIChyZWxheV9ldmVudChldmVudCwKIAkJCQkJc3RybmxlbihldmVudCwK LQkJCQkJTUFYX0FVRElUX01FU1NBR0VfTEVOR1RIKSk7Ci0JCQkJaWYgKHJjID49IDApCi0JCQkJ CWRlcXVldWUoKTsgLy8gZGVsZXRlIGl0CisJCQkJCU1BWF9BVURJVF9NRVNTQUdFX0xFTkdUSCkp IDwgMCkKKwkJCQkJYnJlYWs7CisJCQkJaWYgKHFfZHJvcF9oZWFkKHF1ZXVlKSAhPSAwKSB7CisJ CQkJCXF1ZXVlX2Vycm9yKCk7CisJCQkJCWJyZWFrOworCQkJCX0KIAkJCX0KIAkJfQogCQlpZiAo ZmVvZihpbikpCkBAIC00NTYsOCArNTAwLDggQEAgaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFy Z3ZbXSkKIAl9IHdoaWxlIChzdG9wID09IDApOwogCWNsb3NlKHNvY2spOwogCWZyZWVfY29uZmln KCZjb25maWcpOwotCXFfbGVuID0gcXVldWVfbGVuZ3RoKCk7Ci0JZGVzdHJveV9xdWV1ZSgpOwor CXFfbGVuID0gcV9xdWV1ZV9sZW5ndGgocXVldWUpOworCXFfY2xvc2UocXVldWUpOwogCWlmIChz dG9wKQogCQlzeXNsb2coTE9HX05PVElDRSwgImF1ZGlzcC1yZW1vdGUgaXMgZXhpdGluZyBvbiBz dG9wIHJlcXVlc3QiKTsKIApJbmRleDogYXVkaXQvYXVkaXNwL3BsdWdpbnMvcmVtb3RlL3F1ZXVl LmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PQotLS0gYXVkaXQub3JpZy9hdWRpc3AvcGx1Z2lucy9yZW1vdGUvcXVldWUu YworKysgYXVkaXQvYXVkaXNwL3BsdWdpbnMvcmVtb3RlL3F1ZXVlLmMKQEAgLTU2OSw3OCArNTY5 LDMgQEAgZXJyX2Vycm5vX3E6CiAJZXJybm8gPSBzYXZlZF9lcnJubzsKIAlyZXR1cm4gTlVMTDsK IH0KLQotDCAvKiBhdWRpc3AtcmVtb3RlIGludGVyZmFjZSAqLwotCi0vKiBNQVhfQVVESVRfTUVT U0FHRV9MRU5HVEgsIGFsaWduZWQgdG8gNCBLQiBzbyB0aGF0IGFuIGF2ZXJhZ2UgcV9hcHBlbmQo KSBvbmx5Ci0gICB3cml0ZXMgdG8gdHdvIGRpc2sgZGlzayBibG9ja3MgKDEgYWxpZ25lZCBkYXRh IGJsb2NrLCAxIGhlYWRlciBibG9jaykuICovCi0jZGVmaW5lIFFVRVVFX0VOVFJZX1NJWkUgKDMq NDA5NikKLQotZXh0ZXJuIHZvaWQgcXVldWVfZXJyb3Iodm9pZCk7IC8qIFRoaXMgd2lsbCBnbyBh d2F5IGluIGEgZmV3IG1vcmUgcGF0Y2hlcy4gKi8KLQotc3RhdGljIHN0cnVjdCBxdWV1ZSAqcTsK LQotaW50IGluaXRfcXVldWUocmVtb3RlX2NvbmZfdCAqY29uZmlnKQotewotCWNvbnN0IGNoYXIg KnBhdGg7Ci0JaW50IHFfZmxhZ3M7Ci0KLQlpZiAoY29uZmlnLT5xdWV1ZV9maWxlICE9IE5VTEwp Ci0JCXBhdGggPSBjb25maWctPnF1ZXVlX2ZpbGU7Ci0JZWxzZQotCQlwYXRoID0gIi92YXIvbGli L2F1ZGl0ZC1yZW1vdGUvcXVldWUiOwotCXFfZmxhZ3MgPSBRX0lOX01FTU9SWTsKLQlpZiAoY29u ZmlnLT5tb2RlID09IE1fU1RPUkVfQU5EX0ZPUldBUkQpCi0JCS8qIEZJWE1FOiBsZXQgdXNlciBj b250cm9sIFFfU1lOQz8gKi8KLQkJcV9mbGFncyB8PSBRX0lOX0ZJTEUgfCBRX0NSRUFUIHwgUV9S RVNJWkU7Ci0JdmVyaWZ5KFFVRVVFX0VOVFJZX1NJWkUgPj0gTUFYX0FVRElUX01FU1NBR0VfTEVO R1RIKTsKLQlxID0gcV9vcGVuKHFfZmxhZ3MsIHBhdGgsIGNvbmZpZy0+cXVldWVfZGVwdGgsIFFV RVVFX0VOVFJZX1NJWkUpOwotCWlmIChxID09IE5VTEwpCi0JCXJldHVybiAtMTsKLQlyZXR1cm4g MDsKLX0KLQotaW50IGVucXVldWUoY29uc3QgY2hhciAqZGF0YSkKLXsKLQlpZiAocV9hcHBlbmQo cSwgZGF0YSkgPT0gMCkKLQkJcmV0dXJuIDA7Ci0JZWxzZSBpZiAoZXJybm8gPT0gRU5PU1BDKQot CQlyZXR1cm4gLTE7Ci0JZWxzZSB7Ci0JCXF1ZXVlX2Vycm9yKCk7Ci0JCXJldHVybiAwOwotCX0K LX0KLQotaW50IHBlZWtfcXVldWUoY2hhciAqYnVmLCBzaXplX3Qgc2l6ZSkKLXsKLQlpbnQgcjsK LQotCXIgPSBxX3BlZWsocSwgYnVmLCBzaXplKTsKLQlpZiAociA9PSAwKQotCQlyZXR1cm4gMDsK LQlpZiAociAhPSAxKQotCQlnb3RvIGVycjsKLQlyZXR1cm4gMTsKLQotZXJyOgotCXF1ZXVlX2Vy cm9yKCk7Ci0JcmV0dXJuIDA7Ci19Ci0KLXZvaWQgZGVxdWV1ZSh2b2lkKQotewotCWlmIChxX2Ry b3BfaGVhZChxKSAhPSAwKQotCQlxdWV1ZV9lcnJvcigpOwotfQotCi1pbnQgcXVldWVfbGVuZ3Ro KHZvaWQpCi17Ci0JcmV0dXJuIHFfcXVldWVfbGVuZ3RoKHEpOwotfQotCi12b2lkIGRlc3Ryb3lf cXVldWUodm9pZCkKLXsKLQlxX2Nsb3NlKHEpOwotfQotCkluZGV4OiBhdWRpdC9hdWRpc3AvcGx1 Z2lucy9yZW1vdGUvcXVldWUuaAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBhdWRpdC5vcmlnL2F1ZGlzcC9wbHVn aW5zL3JlbW90ZS9xdWV1ZS5oCisrKyBhdWRpdC9hdWRpc3AvcGx1Z2lucy9yZW1vdGUvcXVldWUu aApAQCAtMjUsMTcgKzI1LDYgQEAKICNkZWZpbmUgUVVFVUVfSEVBREVSCiAKICNpbmNsdWRlIDxz eXMvdHlwZXMuaD4KLSNpbmNsdWRlICJsaWJhdWRpdC5oIgotI2luY2x1ZGUgInJlbW90ZS1jb25m aWcuaCIKLQotaW50IGluaXRfcXVldWUocmVtb3RlX2NvbmZfdCAqY29uZmlnKTsKLWludCBlbnF1 ZXVlKGNvbnN0IGNoYXIgKmRhdGEpOwotaW50IHBlZWtfcXVldWUoY2hhciAqYnVmLCBzaXplX3Qp Owotdm9pZCBkZXF1ZXVlKHZvaWQpOwotaW50IHF1ZXVlX2xlbmd0aCh2b2lkKTsKLXZvaWQgZGVz dHJveV9xdWV1ZSh2b2lkKTsKLQotDCAvKiBUaGUgbmV3IGludGVyZmFjZSAqLwogCiBzdHJ1Y3Qg cXVldWU7CiAKSW5kZXg6IGF1ZGl0L2F1ZGlzcC9wbHVnaW5zL3JlbW90ZS90ZXN0LXF1ZXVlLmMK PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PQotLS0gYXVkaXQub3JpZy9hdWRpc3AvcGx1Z2lucy9yZW1vdGUvdGVzdC1xdWV1 ZS5jCisrKyBhdWRpdC9hdWRpc3AvcGx1Z2lucy9yZW1vdGUvdGVzdC1xdWV1ZS5jCkBAIC03Miwx MiArNzIsNiBAQCBlcnJfXyhpbnQgbGluZSwgY29uc3QgY2hhciAqbWVzc2FnZSwgLi4uCiAJYWJv cnQoKTsKIH0KIAotLyogVGhpcyB3aWxsIGdvIGF3YXkgaW4gYSBmZXcgcGF0Y2hlcy4gKi8KLXZv aWQgcXVldWVfZXJyb3Iodm9pZCkKLXsKLQllcnIoIlF1ZXVlIGVycm9yIik7Ci19Ci0KIHN0YXRp YyB2b2lkCiBpbml0X3NhbXBsZV9lbnRyaWVzKHZvaWQpCiB7Cg== ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=13-flush-queue-on-startup Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=13-flush-queue-on-startup Flush record queue on startup When starting audisp-remote, send the contents of the queue to the remote server. Note that this may significantly delay the time between startup of the plugin and the time the plugin starts actually processing input if the remote server responds slowly. Index: audit/audisp/plugins/remote/audisp-remote.c =================================================================== --- audit.orig/audisp/plugins/remote/audisp-remote.c +++ audit/audisp/plugins/remote/audisp-remote.c @@ -367,6 +367,30 @@ static struct queue *init_queue(void) return q_open(q_flags, path, config.queue_depth, QUEUE_ENTRY_SIZE); } +/* Send as many items from QUEUE to the remote system as possible */ +static void flush_queue(struct queue *queue) +{ + while (!suspend && transport_ok) { + char event[MAX_AUDIT_MESSAGE_LENGTH]; + int rc; + + rc = q_peek(queue, event, sizeof(event)); + if (rc == 0) + break; + if (rc != 1) { + queue_error(); + break; + } + if (relay_event(event, strnlen(event, MAX_AUDIT_MESSAGE_LENGTH)) + < 0) + break; + if (q_drop_head(queue) != 0) { + queue_error(); + break; + } + } +} + int main(int argc, char *argv[]) { struct sigaction sa; @@ -411,7 +435,8 @@ int main(int argc, char *argv[]) capng_apply(CAPNG_SELECT_BOTH); #endif - do { + flush_queue(queue); + while (stop == 0 && !feof(in)) { fd_set rfd; struct timeval tv; char event[MAX_AUDIT_MESSAGE_LENGTH]; @@ -477,27 +502,9 @@ int main(int argc, char *argv[]) else queue_error(); } - while (!suspend && transport_ok) { - rc = q_peek(queue, event, sizeof(event)); - if (rc == 0) - break; - if (rc != 1) { - queue_error(); - break; - } - if (relay_event(event, - strnlen(event, - MAX_AUDIT_MESSAGE_LENGTH)) < 0) - break; - if (q_drop_head(queue) != 0) { - queue_error(); - break; - } - } + flush_queue(queue); } - if (feof(in)) - break; - } while (stop == 0); + } close(sock); free_config(&config); q_len = q_queue_length(queue); ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=01-dont-discard-data Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=01-dont-discard-data On SIGHUP or when stopping, don't read a record only to throw it away. Index: audit/audisp/plugins/remote/audisp-remote.c =================================================================== --- audit.orig/audisp/plugins/remote/audisp-remote.c +++ audit/audisp/plugins/remote/audisp-remote.c @@ -382,9 +382,11 @@ int main(int argc, char *argv[]) if (!FD_ISSET(ifd, &rfd)) continue; + if (hup != 0 || stop != 0) + continue; + e = (event_t *)malloc(sizeof(event_t)); - if (fgets_unlocked(e->data, MAX_AUDIT_MESSAGE_LENGTH, in) && - hup==0 && stop==0) { + if (fgets_unlocked(e->data, MAX_AUDIT_MESSAGE_LENGTH, in)) { if (!transport_ok && remote_ended && config.remote_ending_action == FA_RECONNECT) { quiet = 1; ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=02-fix-leak-on-input-error Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=02-fix-leak-on-input-error Fix memory leak if fgets_unlocked() fails Index: audit/audisp/plugins/remote/audisp-remote.c =================================================================== --- audit.orig/audisp/plugins/remote/audisp-remote.c +++ audit/audisp/plugins/remote/audisp-remote.c @@ -411,7 +411,8 @@ int main(int argc, char *argv[]) free(e); } } - } + } else + free(e); if (feof(in)) break; } while (stop == 0); ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=03-fix-config-mode-type Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=03-fix-config-mode-type Fix type of config_t::mode Index: audit/audisp/plugins/remote/remote-config.h =================================================================== --- audit.orig/audisp/plugins/remote/remote-config.h +++ audit/audisp/plugins/remote/remote-config.h @@ -38,7 +38,7 @@ typedef struct remote_conf unsigned int port; unsigned int local_port; transport_t transport; - mode_t mode; + rmode_t mode; unsigned int queue_depth; format_t format; unsigned int network_retry_time; ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=04-use-make-dependencies Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=04-use-make-dependencies Use make dependencies. This is not technically necessary for any of the future patches, but it makes development much more convenient. Index: audit/audisp/plugins/remote/Makefile.am =================================================================== --- audit.orig/audisp/plugins/remote/Makefile.am +++ audit/audisp/plugins/remote/Makefile.am @@ -22,7 +22,6 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = au-remote.conf audisp-remote.conf $(man_MANS) -AUTOMAKE_OPTIONS = no-dependencies INCLUDES = -I${top_srcdir} -I${top_srcdir}/lib prog_confdir = $(sysconfdir)/audisp prog_conf = audisp-remote.conf ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=05-decouple-do_overflow_action Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=05-decouple-do_overflow_action Move do_overlow_action() to audisp-remote.c This decouples queue.c from "config", making it possible to cleanly link queue.c into a test program. We can also get rid of one copy of change_runlevel(). Index: audit/audisp/plugins/remote/audisp-remote.c =================================================================== --- audit.orig/audisp/plugins/remote/audisp-remote.c +++ audit/audisp/plugins/remote/audisp-remote.c @@ -298,6 +298,35 @@ static void send_heartbeat (void) relay_event (NULL, 0); } +static void do_overflow_action(void) +{ + switch (config.overflow_action) + { + case OA_IGNORE: + break; + case OA_SYSLOG: + syslog(LOG_ERR, "queue is full - dropping event"); + break; + case OA_SUSPEND: + syslog(LOG_ALERT, + "Audisp-remote is suspending event processing due to overflowing its queue."); + break; + case OA_SINGLE: + syslog(LOG_ALERT, + "Audisp-remote is now changing the system to single user mode due to overflowing its queue"); + change_runlevel(SINGLE); + break; + case OA_HALT: + syslog(LOG_ALERT, + "Audisp-remote is now halting the system due to overflowing its queue"); + change_runlevel(HALT); + break; + default: + syslog(LOG_ALERT, "Unknown overflow action requested"); + break; + } +} + int main(int argc, char *argv[]) { event_t *e; @@ -399,7 +428,8 @@ int main(int argc, char *argv[]) free(e); continue; } - enqueue(e); + if (enqueue(e) != 0) + do_overflow_action(); rc = 0; while (!suspend && rc >= 0 && transport_ok && (e = dequeue(1))) { Index: audit/audisp/plugins/remote/queue.c =================================================================== --- audit.orig/audisp/plugins/remote/queue.c +++ audit/audisp/plugins/remote/queue.c @@ -22,16 +22,10 @@ #include "config.h" #include -#include -#include #include "queue.h" -#include "remote-config.h" static volatile event_t **q; static unsigned int q_next, q_last, q_depth; -static const char *SINGLE = "1"; -static const char *HALT = "0"; -extern remote_conf_t config; int init_queue(unsigned int size) { @@ -50,58 +44,7 @@ int init_queue(unsigned int size) return 0; } -static void change_runlevel(const char *level) -{ - char *argv[3]; - int pid; - static const char *init_pgm = "/sbin/init"; - - pid = fork(); - if (pid < 0) { - syslog(LOG_ALERT, "Audisp-remote failed to fork switching runlevels"); - return; - } - if (pid) // Parent - return; - // Child - argv[0] = (char *)init_pgm; - argv[1] = (char *)level; - argv[2] = NULL; - execve(init_pgm, argv, NULL); - syslog(LOG_ALERT, "Audisp-remote failed to exec %s", init_pgm); - exit(1); -} - -static void do_overflow_action(void) -{ - switch (config.overflow_action) - { - case OA_IGNORE: - break; - case OA_SYSLOG: - syslog(LOG_ERR, "queue is full - dropping event"); - break; - case OA_SUSPEND: - syslog(LOG_ALERT, - "Audisp-remote is suspending event processing due to overflowing its queue."); - break; - case OA_SINGLE: - syslog(LOG_ALERT, - "Audisp-remote is now changing the system to single user mode due to overflowing its queue"); - change_runlevel(SINGLE); - break; - case OA_HALT: - syslog(LOG_ALERT, - "Audisp-remote is now halting the system due to overflowing its queue"); - change_runlevel(HALT); - break; - default: - syslog(LOG_ALERT, "Unknown overflow action requested"); - break; - } -} - -void enqueue(event_t *e) +int enqueue(event_t *e) { unsigned int n; @@ -110,10 +53,10 @@ void enqueue(event_t *e) if (q[n] == NULL) { q[n] = e; q_next = (n+1) % q_depth; + return 0; } else { - // Overflowed the queue - do_overflow_action(); free(e); + return -1; } } Index: audit/audisp/plugins/remote/queue.h =================================================================== --- audit.orig/audisp/plugins/remote/queue.h +++ audit/audisp/plugins/remote/queue.h @@ -32,7 +32,7 @@ typedef struct event int init_queue(unsigned int size); -void enqueue(event_t *e); +int enqueue(event_t *e); event_t *dequeue(int peek); void increase_queue_depth(unsigned int size); int queue_length(void); ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=06-drop-increase_queue_depth Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=06-drop-increase_queue_depth Drop increase_queue_depth() from the queue interface. It isn't used anyway, and the persistent queue implementation doesn't currently provide this operation. Removing this allows a clean reimplementation of the queue interface. Index: audit/audisp/plugins/remote/queue.c =================================================================== --- audit.orig/audisp/plugins/remote/queue.c +++ audit/audisp/plugins/remote/queue.c @@ -80,20 +80,6 @@ event_t *dequeue(int peek) return e; } -/* void increase_queue_depth(unsigned int size) -{ - if (size > q_depth) { - int i; - void *tmp_q; - - tmp_q = realloc(q, size * sizeof(event_t *)); - q = tmp_q; - for (i=q_depth; ilocal_port = 0; config->transport = T_TCP; config->mode = M_IMMEDIATE; + config->queue_file = NULL; config->queue_depth = 200; config->format = F_MANAGED; @@ -208,6 +214,7 @@ void clear_config(remote_conf_t *config) IA(remote_ending, FA_SUSPEND); IA(generic_error, FA_SYSLOG); IA(generic_warning, FA_SYSLOG); + IA(queue_error, FA_STOP); #undef IA config->overflow_action = OA_SYSLOG; @@ -543,6 +550,21 @@ static int mode_parser(struct nv_pair *n return 1; } +static int queue_file_parser(struct nv_pair *nv, int line, + remote_conf_t *config) +{ + if (nv->value) { + if (*nv->value != '/') { + syslog(LOG_ERR, "Absolute path needed for %s - line %d", + nv->value, line); + return 1; + } + config->queue_file = strdup(nv->value); + } else + config->queue_file = NULL; + return 0; +} + static int depth_parser(struct nv_pair *nv, int line, remote_conf_t *config) { @@ -581,6 +603,7 @@ AP(disk_full) AP(disk_error) AP(generic_error) AP(generic_warning) +AP(queue_error) #undef AP static int overflow_action_parser(struct nv_pair *nv, int line, @@ -729,12 +752,19 @@ static int sanity_check(remote_conf_t *c // port should be less that 32k // queue_depth should be less than 100k // If fail_action is F_EXEC, fail_exec must exist + if (config->mode == M_STORE_AND_FORWARD + && config->format != F_MANAGED) { + syslog(LOG_ERR, "\"mode=forward\" is valid only with " + "\"format=managed\""); + return 1; + } return 0; } void free_config(remote_conf_t *config) { free((void *)config->remote_server); + free((void *)config->queue_file); free((void *)config->network_failure_exe); free((void *)config->disk_low_exe); free((void *)config->disk_full_exe); @@ -742,6 +772,7 @@ void free_config(remote_conf_t *config) free((void *)config->remote_ending_exe); free((void *)config->generic_error_exe); free((void *)config->generic_warning_exe); + free((void *)config->queue_error_exe); free((void *)config->krb5_principal); free((void *)config->krb5_client_name); free((void *)config->krb5_key_file); Index: audit/audisp/plugins/remote/remote-config.h =================================================================== --- audit.orig/audisp/plugins/remote/remote-config.h +++ audit/audisp/plugins/remote/remote-config.h @@ -39,6 +39,7 @@ typedef struct remote_conf unsigned int local_port; transport_t transport; rmode_t mode; + const char *queue_file; unsigned int queue_depth; format_t format; unsigned int network_retry_time; @@ -64,6 +65,8 @@ typedef struct remote_conf const char *generic_error_exe; failure_action_t generic_warning_action; const char *generic_warning_exe; + failure_action_t queue_error_action; + const char *queue_error_exe; overflow_action_t overflow_action; } remote_conf_t; ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=09-use-persistent-queue Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=09-use-persistent-queue VXNlIHRoZSBuZXcgcXVldWUgaW1wbGVtZW50YXRpb24gZm9yIHBlcnNpc3RlbmNlLgoKVGhpcyBv bmx5IGF0dGFjaGVzICJzdHJ1Y3QgcXVldWUiIHRvIHRoZSBleGlzdGluZyBpbnRlcmZhY2UsCndp dGggbWluaW1hbCBpbnRlcmZhY2UgY2hhbmdlcy4gIFJlZmFjdG9yaW5nIHdpbGwgZm9sbG93LgoK Tm90ZSB0aGF0IHRoaXMgZG9lcyBub3QgZXhwb3NlIHRoZSBRX1NZTkMgZmxhZyB0byB1c2Vycywg c28Kc29tZSByZWNvcmRzIG1heSBiZSBsb3N0IHVwb24gYSBzeXN0ZW0gY3Jhc2guICBJJ20gYW1i aXZhbGVudAphYm91dCB0aGlzIC0gb24gb25lIGhhbmQgaXQgaXMgZGVzaXJhYmxlIHRvIGJlIGFi bGUgdG8gcHJvdGVjdAp0aGUgZGF0YSBhZ2FpbnN0IGEgY3Jhc2gsIG9uIHRoZSBvdGhlciBoYW5k IHRoZSBhdWRpdCByZWNvcmQgbWF5IGJlCmxvc3QgYnkgYSBjcmFzaCBldmVuIGJlZm9yZSBhdWRp c3AtcmVtb3RlIGdldHMgYSBjaGFuY2UgdG8gd3JpdGUKaXQgdG8gZGlzaywgYW5kIHBlcmhhcHMg aXQncyBiZXR0ZXIgbm90IHRvIHByb21pc2UgYW55dGhpbmcgdGhhbgp0byBwcm9taXNlIGFuZCBu b3QgZGVsaXZlci4KSW5kZXg6IGF1ZGl0L2F1ZGlzcC9wbHVnaW5zL3JlbW90ZS9hdWRpc3AtcmVt b3RlLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gYXVkaXQub3JpZy9hdWRpc3AvcGx1Z2lucy9yZW1vdGUvYXVk aXNwLXJlbW90ZS5jCisrKyBhdWRpdC9hdWRpc3AvcGx1Z2lucy9yZW1vdGUvYXVkaXNwLXJlbW90 ZS5jCkBAIC0yOTMsNiArMjkzLDE3IEBAIHN0YXRpYyBpbnQgZ2VuZXJpY19yZW1vdGVfd2Fybmlu Z19oYW5kbGUKIAkJCSAgY29uZmlnLmdlbmVyaWNfd2FybmluZ19leGUpOwogfQogCisvKiBSZXBv cnQgYW5kIGhhbmRsZSBhIHF1ZXVlIGVycm9yLCB1c2luZyBlcnJuby4gKi8KK3ZvaWQgcXVldWVf ZXJyb3Iodm9pZCkKK3sKKwljaGFyICplcnJub19zdHI7CisJdmFfbGlzdCBhcDsKKworCWVycm5v X3N0ciA9IHN0cmVycm9yKGVycm5vKTsKKwlkb19hY3Rpb24oInF1ZXVlIGVycm9yIiwgZXJybm9f c3RyLCBMT0dfRVJSLCBjb25maWcucXVldWVfZXJyb3JfYWN0aW9uLAorCQkgIGNvbmZpZy5xdWV1 ZV9lcnJvcl9leGUpOworfQorCiBzdGF0aWMgdm9pZCBzZW5kX2hlYXJ0YmVhdCAodm9pZCkKIHsK IAlyZWxheV9ldmVudCAoTlVMTCwgMCk7CkBAIC0zNTgsNyArMzY5LDEwIEBAIGludCBtYWluKGlu dCBhcmdjLCBjaGFyICphcmd2W10pCiAJcmMgPSBpbml0X3RyYW5zcG9ydCgpOwogCWlmIChyYyA9 PSBFVF9QRVJNQU5FTlQpCiAJCXJldHVybiAxOwotCWluaXRfcXVldWUoY29uZmlnLnF1ZXVlX2Rl cHRoKTsKKwlpZiAoaW5pdF9xdWV1ZSgmY29uZmlnKSAhPSAwKSB7CisJCXN5c2xvZyhMT0dfRVJS LCAiRXJyb3IgaW5pdGlhbGl6aW5nIGF1ZGl0IHJlY29yZCBxdWV1ZSIpOworCQlyZXR1cm4gMTsK Kwl9CiAKICNpZmRlZiBIQVZFX0xJQkNBUF9ORwogCS8vIERyb3AgYWxsIGNhcGFiaWxpdGllcwpA QCAtNDM3LDcgKzQ1MSw4IEBAIGludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pCiAJCQkJ CXN0cm5sZW4oZS0+ZGF0YSwKIAkJCQkJTUFYX0FVRElUX01FU1NBR0VfTEVOR1RIKSk7CiAJCQkJ aWYgKHJjID49IDApIHsKLQkJCQkJZGVxdWV1ZSgwKTsgLy8gZGVsZXRlIGl0CisJCQkJCWZyZWUo ZSk7CisJCQkJCWUgPSBkZXF1ZXVlKDApOyAvLyBkZWxldGUgaXQKIAkJCQkJZnJlZShlKTsKIAkJ CQl9CiAJCQl9CkluZGV4OiBhdWRpdC9hdWRpc3AvcGx1Z2lucy9yZW1vdGUvcXVldWUuYwo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBhdWRpdC5vcmlnL2F1ZGlzcC9wbHVnaW5zL3JlbW90ZS9xdWV1ZS5jCisrKyBh dWRpdC9hdWRpc3AvcGx1Z2lucy9yZW1vdGUvcXVldWUuYwpAQCAtMTYzLDcgKzE2Myw3IEBAIHN0 YXRpYyBpbnQgc3luY19maF9zdGF0ZSAoc3RydWN0IHF1ZXVlICoKIAlyZXR1cm4gcV9zeW5jKHEp OwogfQogCi0MIC8qIEltcGxlbWVudGF0aW9uICovCisMIC8qIFF1ZXVlIGltcGxlbWVudGF0aW9u ICovCiAKIC8qIE9wZW4gUEFUSCBmb3IgUSwgdXBkYXRlIFEgZnJvbSBpdCwgYW5kIHJldHVybiAw LgogICAgT24gZXJyb3IsIHJldHVybiAtMSBhbmQgc2V0IGVycm5vOyBRLT5mZCBtYXkgYmUgc2V0 IGV2ZW4gb24gZXJyb3IuICovCkBAIC01NzAsODEgKzU3MCw4NCBAQCBlcnJfZXJybm9fcToKIAly ZXR1cm4gTlVMTDsKIH0KIAotDCAvKiBUaGUgb2xkIGludGVyZmFjZSAqLworDCAvKiBhdWRpc3At cmVtb3RlIGludGVyZmFjZSAqLwogCi1zdGF0aWMgdm9sYXRpbGUgZXZlbnRfdCAqKnE7Ci1zdGF0 aWMgdW5zaWduZWQgaW50IHFfbmV4dCwgcV9sYXN0LCBxX2RlcHRoOworLyogTUFYX0FVRElUX01F U1NBR0VfTEVOR1RILCBhbGlnbmVkIHRvIDQgS0Igc28gdGhhdCBhbiBhdmVyYWdlIHFfYXBwZW5k KCkgb25seQorICAgd3JpdGVzIHRvIHR3byBkaXNrIGRpc2sgYmxvY2tzICgxIGFsaWduZWQgZGF0 YSBibG9jaywgMSBoZWFkZXIgYmxvY2spLiAqLworI2RlZmluZSBRVUVVRV9FTlRSWV9TSVpFICgz KjQwOTYpCiAKLWludCBpbml0X3F1ZXVlKHVuc2lnbmVkIGludCBzaXplKQorZXh0ZXJuIHZvaWQg cXVldWVfZXJyb3Iodm9pZCk7IC8qIFRoaXMgd2lsbCBnbyBhd2F5IGluIGEgZmV3IG1vcmUgcGF0 Y2hlcy4gKi8KKworc3RhdGljIHN0cnVjdCBxdWV1ZSAqcTsKKworaW50IGluaXRfcXVldWUocmVt b3RlX2NvbmZfdCAqY29uZmlnKQogewotCXVuc2lnbmVkIGludCBpOworCWNvbnN0IGNoYXIgKnBh dGg7CisJaW50IHFfZmxhZ3M7CiAKLQlxX25leHQgPSAwOwotCXFfbGFzdCA9IDA7Ci0JcV9kZXB0 aCA9IHNpemU7Ci0JcSA9IG1hbGxvYyhxX2RlcHRoICogc2l6ZW9mKGV2ZW50X3QgKikpOworCWlm IChjb25maWctPnF1ZXVlX2ZpbGUgIT0gTlVMTCkKKwkJcGF0aCA9IGNvbmZpZy0+cXVldWVfZmls ZTsKKwllbHNlCisJCXBhdGggPSAiL3Zhci9saWIvYXVkaXRkLXJlbW90ZS9xdWV1ZSI7CisJcV9m bGFncyA9IFFfSU5fTUVNT1JZOworCWlmIChjb25maWctPm1vZGUgPT0gTV9TVE9SRV9BTkRfRk9S V0FSRCkKKwkJLyogRklYTUU6IGxldCB1c2VyIGNvbnRyb2wgUV9TWU5DPyAqLworCQlxX2ZsYWdz IHw9IFFfSU5fRklMRSB8IFFfQ1JFQVQgfCBRX1JFU0laRTsKKwl2ZXJpZnkoUVVFVUVfRU5UUllf U0laRSA+PSBNQVhfQVVESVRfTUVTU0FHRV9MRU5HVEgpOworCXEgPSBxX29wZW4ocV9mbGFncywg cGF0aCwgY29uZmlnLT5xdWV1ZV9kZXB0aCwgUVVFVUVfRU5UUllfU0laRSk7CiAJaWYgKHEgPT0g TlVMTCkKIAkJcmV0dXJuIC0xOwotCi0JZm9yIChpPTA7IGk8cV9kZXB0aDsgaSsrKSAKLQkJcVtp XSA9IE5VTEw7Ci0KIAlyZXR1cm4gMDsKIH0KIAogaW50IGVucXVldWUoZXZlbnRfdCAqZSkKIHsK LQl1bnNpZ25lZCBpbnQgbjsKKwlpbnQgcmV0OwogCi0JLy8gT0ssIGFkZCBldmVudAotCW4gPSBx X25leHQlcV9kZXB0aDsKLQlpZiAocVtuXSA9PSBOVUxMKSB7Ci0JCXFbbl0gPSBlOwotCQlxX25l eHQgPSAobisxKSAlIHFfZGVwdGg7Ci0JCXJldHVybiAwOwotCX0gZWxzZSB7Ci0JCWZyZWUoZSk7 Ci0JCXJldHVybiAtMTsKKwlpZiAocV9hcHBlbmQocSwgZS0+ZGF0YSkgPT0gMCkKKwkJcmV0ID0g MDsKKwllbHNlIGlmIChlcnJubyA9PSBFTk9TUEMpCisJCXJldCA9IC0xOworCWVsc2UgeworCQlx dWV1ZV9lcnJvcigpOworCQlyZXQgPSAwOwogCX0KKwlmcmVlKGUpOworCXJldHVybiByZXQ7CiB9 CiAKIGV2ZW50X3QgKmRlcXVldWUoaW50IHBlZWspCiB7CiAJZXZlbnRfdCAqZTsKLQl1bnNpZ25l ZCBpbnQgbjsKLQotCS8vIE9LLCBncmFiIHRoZSBuZXh0IGV2ZW50Ci0JbiA9IHFfbGFzdCVxX2Rl cHRoOwotCWlmIChxW25dICE9IE5VTEwpIHsKLQkJZSA9IChldmVudF90ICopcVtuXTsKLQkJaWYg KHBlZWsgPT0gMCkgewotCQkJcVtuXSA9IE5VTEw7Ci0JCQlxX2xhc3QgPSAobisxKSAlIHFfZGVw dGg7Ci0JCX0KLQl9IGVsc2UKLQkJZSA9IE5VTEw7CisJaW50IHI7CiAKLQkvLyBQcm9jZXNzIHRo ZSBldmVudAorCWUgPSBtYWxsb2Moc2l6ZW9mKCplKSk7CisJaWYgKGUgPT0gTlVMTCkKKwkJZ290 byBlcnI7CisJciA9IHFfcGVlayhxLCBlLT5kYXRhLCBzaXplb2YoZS0+ZGF0YSkpOworCWlmIChy ID09IDApIHsKKwkJZnJlZShlKTsKKwkJcmV0dXJuIE5VTEw7CisJfQorCWlmIChyICE9IDEpCisJ CWdvdG8gZXJyOworCWlmICghcGVlayAmJiBxX2Ryb3BfaGVhZChxKSAhPSAwKQorCQlnb3RvIGVy cjsKIAlyZXR1cm4gZTsKKworZXJyOgorCXF1ZXVlX2Vycm9yKCk7CisJZnJlZShlKTsKKwlyZXR1 cm4gTlVMTDsKIH0KIAogaW50IHF1ZXVlX2xlbmd0aCh2b2lkKQogewotCWlmIChxX25leHQgPT0g cV9sYXN0KQotCQlyZXR1cm4gMDsKLQlpZiAocV9sYXN0ID4gcV9uZXh0KQotCQlyZXR1cm4gKHFf ZGVwdGggKyBxX25leHQpIC0gcV9sYXN0OwotCWVsc2UKLQkJcmV0dXJuIHFfbmV4dCAtIHFfbGFz dDsKKwlyZXR1cm4gcV9xdWV1ZV9sZW5ndGgocSk7CiB9CiAKIHZvaWQgZGVzdHJveV9xdWV1ZSh2 b2lkKQogewotCXVuc2lnbmVkIGludCBpOwotCi0JZm9yIChpPTA7IGk8cV9kZXB0aDsgaSsrKQot CQlmcmVlKCh2b2lkICopcVtpXSk7Ci0KLQlmcmVlKHEpOworCXFfY2xvc2UocSk7CiB9CiAKSW5k ZXg6IGF1ZGl0L2F1ZGlzcC9wbHVnaW5zL3JlbW90ZS9xdWV1ZS5oCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGF1 ZGl0Lm9yaWcvYXVkaXNwL3BsdWdpbnMvcmVtb3RlL3F1ZXVlLmgKKysrIGF1ZGl0L2F1ZGlzcC9w bHVnaW5zL3JlbW90ZS9xdWV1ZS5oCkBAIC0yNiw2ICsyNiw3IEBACiAKICNpbmNsdWRlIDxzeXMv dHlwZXMuaD4KICNpbmNsdWRlICJsaWJhdWRpdC5oIgorI2luY2x1ZGUgInJlbW90ZS1jb25maWcu aCIKIAogdHlwZWRlZiBzdHJ1Y3QgZXZlbnQKIHsKQEAgLTMzLDcgKzM0LDcgQEAgdHlwZWRlZiBz dHJ1Y3QgZXZlbnQKIH0gZXZlbnRfdDsKIAogCi1pbnQgaW5pdF9xdWV1ZSh1bnNpZ25lZCBpbnQg c2l6ZSk7CitpbnQgaW5pdF9xdWV1ZShyZW1vdGVfY29uZl90ICpjb25maWcpOwogaW50IGVucXVl dWUoZXZlbnRfdCAqZSk7CiBldmVudF90ICpkZXF1ZXVlKGludCBwZWVrKTsKIGludCBxdWV1ZV9s ZW5ndGgodm9pZCk7CkluZGV4OiBhdWRpdC9hdWRpc3AvcGx1Z2lucy9yZW1vdGUvdGVzdC1xdWV1 ZS5jCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0KLS0tIGF1ZGl0Lm9yaWcvYXVkaXNwL3BsdWdpbnMvcmVtb3RlL3Rlc3Qt cXVldWUuYworKysgYXVkaXQvYXVkaXNwL3BsdWdpbnMvcmVtb3RlL3Rlc3QtcXVldWUuYwpAQCAt NzIsNiArNzIsMTIgQEAgZXJyX18oaW50IGxpbmUsIGNvbnN0IGNoYXIgKm1lc3NhZ2UsIC4uLgog CWFib3J0KCk7CiB9CiAKKy8qIFRoaXMgd2lsbCBnbyBhd2F5IGluIGEgZmV3IHBhdGNoZXMuICov Cit2b2lkIHF1ZXVlX2Vycm9yKHZvaWQpCit7CisJZXJyKCJRdWV1ZSBlcnJvciIpOworfQorCiBz dGF0aWMgdm9pZAogaW5pdF9zYW1wbGVfZW50cmllcyh2b2lkKQogewo= ------=_Part_428057_448391106.1300532998455 Content-Type: application/octet-stream; name=10-split-dequeue Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=10-split-dequeue Split dequeue(int) into peek_queue(void) and dequeue(void) dequeue() does two completely separate things, and main() does not use the event returned by dequeue(0). Split them, which cleans up both the caller and the callee. Index: audit/audisp/plugins/remote/audisp-remote.c =================================================================== --- audit.orig/audisp/plugins/remote/audisp-remote.c +++ audit/audisp/plugins/remote/audisp-remote.c @@ -446,14 +446,13 @@ int main(int argc, char *argv[]) do_overflow_action(); rc = 0; while (!suspend && rc >= 0 && transport_ok && - (e = dequeue(1))) { + (e = peek_queue()) != NULL) { rc = relay_event(e->data, strnlen(e->data, MAX_AUDIT_MESSAGE_LENGTH)); if (rc >= 0) { free(e); - e = dequeue(0); // delete it - free(e); + dequeue(); // delete it } } } else Index: audit/audisp/plugins/remote/queue.c =================================================================== --- audit.orig/audisp/plugins/remote/queue.c +++ audit/audisp/plugins/remote/queue.c @@ -616,7 +616,7 @@ int enqueue(event_t *e) return ret; } -event_t *dequeue(int peek) +event_t *peek_queue(void) { event_t *e; int r; @@ -631,8 +631,6 @@ event_t *dequeue(int peek) } if (r != 1) goto err; - if (!peek && q_drop_head(q) != 0) - goto err; return e; err: @@ -641,6 +639,12 @@ err: return NULL; } +void dequeue(void) +{ + if (q_drop_head(q) != 0) + queue_error(); +} + int queue_length(void) { return q_queue_length(q); Index: audit/audisp/plugins/remote/queue.h =================================================================== --- audit.orig/audisp/plugins/remote/queue.h +++ audit/audisp/plugins/remote/queue.h @@ -36,7 +36,8 @@ typedef struct event int init_queue(remote_conf_t *config); int enqueue(event_t *e); -event_t *dequeue(int peek); +event_t *peek_queue(void); +void dequeue(void); int queue_length(void); void destroy_queue(void); ------=_Part_428057_448391106.1300532998455 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------=_Part_428057_448391106.1300532998455--