[PATCH] fixup! audit: try harder to send to auditd upon netlink failure

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] fixup! audit: try harder to send to auditd upon netlink failure
@ 2015-09-18  7:52 Richard Guy Briggs
  2015-09-18  9:13 ` Steve Grubb
  2015-09-18 20:33 ` Paul Moore
  0 siblings, 2 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2015-09-18  7:52 UTC (permalink / raw)
  To: linux-audit, linux-kernel
  Cc: Richard Guy Briggs, sgrubb, pmoore, eparis, v.rathor, ctcard

A bug was introduced by "audit: try harder to send to auditd upon
netlink failure", caused by incomplete code and a function that expects
a string and does not accept a format plus arguments.  Create a
temporary string variable to assemble the output text.  It could be
merged as a fixup if it is not yet upstream.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 18cdfe2..60913e6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -420,7 +420,10 @@ restart:
 		if (audit_pid) {
 			if (err == -ECONNREFUSED || err == -EPERM
 			    || ++attempts >= AUDITD_RETRIES) {
-				audit_log_lost("audit_pid=%d reset");
+				char s[32];
+
+				sprintf(s, "audit_pid=%d reset", audit_pid);
+				audit_log_lost(s);
 				audit_pid = 0;
 				audit_sock = NULL;
 			} else {
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] fixup! audit: try harder to send to auditd upon netlink failure
  2015-09-18  7:52 [PATCH] fixup! audit: try harder to send to auditd upon netlink failure Richard Guy Briggs
@ 2015-09-18  9:13 ` Steve Grubb
  2015-09-18 10:02   ` Richard Guy Briggs
  2015-09-18 20:33 ` Paul Moore
  1 sibling, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2015-09-18  9:13 UTC (permalink / raw)
  To: Richard Guy Briggs
  Cc: linux-audit, linux-kernel, pmoore, eparis, v.rathor, ctcard

On Fri, 18 Sep 2015 03:52:43 -0400
Richard Guy Briggs <rgb@redhat.com> wrote:

> A bug was introduced by "audit: try harder to send to auditd upon
> netlink failure", caused by incomplete code and a function that
> expects a string and does not accept a format plus arguments.  Create
> a temporary string variable to assemble the output text.  It could be
> merged as a fixup if it is not yet upstream.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 18cdfe2..60913e6 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -420,7 +420,10 @@ restart:
>  		if (audit_pid) {
>  			if (err == -ECONNREFUSED || err == -EPERM
>  			    || ++attempts >= AUDITD_RETRIES) {
> -				audit_log_lost("audit_pid=%d reset");
> +				char s[32];
> +
> +				sprintf(s, "audit_pid=%d reset",
> audit_pid);

We normally use name=value for everything important. Reset by itself
will get dropped by auparse. action=reset (or something similar) would
be better.

-Steve

> +				audit_log_lost(s);
>  				audit_pid = 0;
>  				audit_sock = NULL;
>  			} else {

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] fixup! audit: try harder to send to auditd upon netlink failure
  2015-09-18  9:13 ` Steve Grubb
@ 2015-09-18 10:02   ` Richard Guy Briggs
  0 siblings, 0 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2015-09-18 10:02 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit, linux-kernel, pmoore, eparis, v.rathor, ctcard

On 15/09/18, Steve Grubb wrote:
> On Fri, 18 Sep 2015 03:52:43 -0400
> Richard Guy Briggs <rgb@redhat.com> wrote:
> 
> > A bug was introduced by "audit: try harder to send to auditd upon
> > netlink failure", caused by incomplete code and a function that
> > expects a string and does not accept a format plus arguments.  Create
> > a temporary string variable to assemble the output text.  It could be
> > merged as a fixup if it is not yet upstream.
> > 
> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  kernel/audit.c |    5 ++++-
> >  1 files changed, 4 insertions(+), 1 deletions(-)
> > 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 18cdfe2..60913e6 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -420,7 +420,10 @@ restart:
> >  		if (audit_pid) {
> >  			if (err == -ECONNREFUSED || err == -EPERM
> >  			    || ++attempts >= AUDITD_RETRIES) {
> > -				audit_log_lost("audit_pid=%d reset");
> > +				char s[32];
> > +
> > +				sprintf(s, "audit_pid=%d reset",
> > audit_pid);
> 
> We normally use name=value for everything important. Reset by itself
> will get dropped by auparse. action=reset (or something similar) would
> be better.

This is sent to the system log when we can't queue it to audit, so audit
never sees this message.  None of the other audit_log_lost messages are
formatted in the audit style.

> -Steve
> 
> > +				audit_log_lost(s);
> >  				audit_pid = 0;
> >  				audit_sock = NULL;
> >  			} else {
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] fixup! audit: try harder to send to auditd upon netlink failure
  2015-09-18  7:52 [PATCH] fixup! audit: try harder to send to auditd upon netlink failure Richard Guy Briggs
  2015-09-18  9:13 ` Steve Grubb
@ 2015-09-18 20:33 ` Paul Moore
  2015-09-19 21:52   ` Richard Guy Briggs
  1 sibling, 1 reply; 7+ messages in thread
From: Paul Moore @ 2015-09-18 20:33 UTC (permalink / raw)
  To: Richard Guy Briggs
  Cc: linux-audit, linux-kernel, sgrubb, eparis, v.rathor, ctcard

On Friday, September 18, 2015 03:52:43 AM Richard Guy Briggs wrote:
> A bug was introduced by "audit: try harder to send to auditd upon
> netlink failure", caused by incomplete code and a function that expects
> a string and does not accept a format plus arguments.  Create a
> temporary string variable to assemble the output text.  It could be
> merged as a fixup if it is not yet upstream.

Ungh, that's embarrassing; I really should have caught that in review.  Sigh.  
At least it shouldn't cause anything to blow up, just a less than helpful 
message.

I pulled the original patch from linux-audit#next just now, I'll re-add it 
once we sort this out.

Comments below ...

> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 18cdfe2..60913e6 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -420,7 +420,10 @@ restart:
>  		if (audit_pid) {
>  			if (err == -ECONNREFUSED || err == -EPERM
> 
>  			    || ++attempts >= AUDITD_RETRIES) {
> 
> -				audit_log_lost("audit_pid=%d reset");
> +				char s[32];
> +
> +				sprintf(s, "audit_pid=%d reset", audit_pid);
> +				audit_log_lost(s);

Granted 32 bytes should be big enough for the string, but I would feel better 
if we used snprintf() here; make the change and I'll merge the patch with the 
original and push it back to linux-audit#next.

Normally I'm not a big fan of amending patches after they have been committed, 
but in this case it is in the next branch (doing this for upstream or stable-X 
is a big "no") and nothing sits on top of it.

>  				audit_pid = 0;
>  				audit_sock = NULL;
>  			} else {

-- 
paul moore
security @ redhat

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] fixup! audit: try harder to send to auditd upon netlink failure
  2015-09-18 20:33 ` Paul Moore
@ 2015-09-19 21:52   ` Richard Guy Briggs
  0 siblings, 0 replies; 7+ messages in thread
From: Richard Guy Briggs @ 2015-09-19 21:52 UTC (permalink / raw)
  To: Paul Moore; +Cc: linux-audit, linux-kernel, sgrubb, eparis, v.rathor, ctcard

On 15/09/18, Paul Moore wrote:
> On Friday, September 18, 2015 03:52:43 AM Richard Guy Briggs wrote:
> > A bug was introduced by "audit: try harder to send to auditd upon
> > netlink failure", caused by incomplete code and a function that expects
> > a string and does not accept a format plus arguments.  Create a
> > temporary string variable to assemble the output text.  It could be
> > merged as a fixup if it is not yet upstream.
> 
> Ungh, that's embarrassing; I really should have caught that in review.  Sigh.  
> At least it shouldn't cause anything to blow up, just a less than helpful 
> message.

Yup, just useless noise.

> I pulled the original patch from linux-audit#next just now, I'll re-add it 
> once we sort this out.

Ok...

> Comments below ...

Likewise...

> > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> > ---
> >  kernel/audit.c |    5 ++++-
> >  1 files changed, 4 insertions(+), 1 deletions(-)
> > 
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index 18cdfe2..60913e6 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -420,7 +420,10 @@ restart:
> >  		if (audit_pid) {
> >  			if (err == -ECONNREFUSED || err == -EPERM
> > 
> >  			    || ++attempts >= AUDITD_RETRIES) {
> > 
> > -				audit_log_lost("audit_pid=%d reset");
> > +				char s[32];
> > +
> > +				sprintf(s, "audit_pid=%d reset", audit_pid);
> > +				audit_log_lost(s);
> 
> Granted 32 bytes should be big enough for the string, but I would feel better 
> if we used snprintf() here; make the change and I'll merge the patch with the 
> original and push it back to linux-audit#next.

Done...

> Normally I'm not a big fan of amending patches after they have been committed, 
> but in this case it is in the next branch (doing this for upstream or stable-X 
> is a big "no") and nothing sits on top of it.

That's the only reason I suggested it...

> >  				audit_pid = 0;
> >  				audit_sock = NULL;
> >  			} else {
> 
> paul moore

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH] fixup! audit: try harder to send to auditd upon netlink failure
@ 2015-09-19 21:52 Richard Guy Briggs
  2015-09-22 22:32 ` Paul Moore
  0 siblings, 1 reply; 7+ messages in thread
From: Richard Guy Briggs @ 2015-09-19 21:52 UTC (permalink / raw)
  To: linux-audit, linux-kernel
  Cc: Richard Guy Briggs, sgrubb, pmoore, eparis, v.rathor, ctcard

A bug was introduced by "audit: try harder to send to auditd upon
netlink failure", caused by incomplete code and a function that expects
a string and does not accept a format plus arguments.  Create a
temporary string variable to assemble the output text.  It could be
merged as a fixup if it is not yet upstream.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/audit.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/kernel/audit.c b/kernel/audit.c
index 18cdfe2..9d32218 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -420,7 +420,10 @@ restart:
 		if (audit_pid) {
 			if (err == -ECONNREFUSED || err == -EPERM
 			    || ++attempts >= AUDITD_RETRIES) {
-				audit_log_lost("audit_pid=%d reset");
+				char s[32];
+
+				snprintf(s, sizeof(s), "audit_pid=%d reset", audit_pid);
+				audit_log_lost(s);
 				audit_pid = 0;
 				audit_sock = NULL;
 			} else {
-- 
1.7.1

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] fixup! audit: try harder to send to auditd upon netlink failure
  2015-09-19 21:52 Richard Guy Briggs
@ 2015-09-22 22:32 ` Paul Moore
  0 siblings, 0 replies; 7+ messages in thread
From: Paul Moore @ 2015-09-22 22:32 UTC (permalink / raw)
  To: Richard Guy Briggs
  Cc: linux-audit, linux-kernel, sgrubb, eparis, v.rathor, ctcard

On Saturday, September 19, 2015 05:52:50 PM Richard Guy Briggs wrote:
> A bug was introduced by "audit: try harder to send to auditd upon
> netlink failure", caused by incomplete code and a function that expects
> a string and does not accept a format plus arguments.  Create a
> temporary string variable to assemble the output text.  It could be
> merged as a fixup if it is not yet upstream.
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  kernel/audit.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)

Applied and both patches squashed into one.

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 18cdfe2..9d32218 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -420,7 +420,10 @@ restart:
>  		if (audit_pid) {
>  			if (err == -ECONNREFUSED || err == -EPERM
> 
>  			    || ++attempts >= AUDITD_RETRIES) {
> 
> -				audit_log_lost("audit_pid=%d reset");
> +				char s[32];
> +
> +				snprintf(s, sizeof(s), "audit_pid=%d reset", audit_pid);
> +				audit_log_lost(s);
>  				audit_pid = 0;
>  				audit_sock = NULL;
>  			} else {

-- 
paul moore
security @ redhat


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2015-09-22 22:32 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-18  7:52 [PATCH] fixup! audit: try harder to send to auditd upon netlink failure Richard Guy Briggs
2015-09-18  9:13 ` Steve Grubb
2015-09-18 10:02   ` Richard Guy Briggs
2015-09-18 20:33 ` Paul Moore
2015-09-19 21:52   ` Richard Guy Briggs
  -- strict thread matches above, loose matches on Subject: below --
2015-09-19 21:52 Richard Guy Briggs
2015-09-22 22:32 ` Paul Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox