lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 19 Mar 2008 12:11:11 +0300
From:	Pavel Emelyanov <xemul@...nvz.org>
To:	Eric Paris <eparis@...isplace.org>
CC:	linux-audit@...hat.com, Thomas Graf <tgraf@...g.ch>,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	aviro@...hat.com, sgrubb@...hat.com, akpm@...l.org
Subject: Re: [PATCH] Audit: netlink socket can be auto-bound to pid other
 than current->pid

Eric Paris wrote:
> On 3/18/08, Pavel Emelyanov <xemul@...nvz.org> wrote:
> 
> Can we please just leave audit_pid as the one flag to tell us if
> auditd is supposedly up there in userspace?  Use audit_nlk_pid to send
> messages to the right place, but leave everything else to do with
> audit_pid alone.

OK, point taken ;) Is that patch looks OK? If yes, I'll comment
it properly and re-send to Andrew.

The audit_nlk_pid reset to 0 is not required, since all the
decisions are taken based on audit_pid value only.

Signed-off-by: Pavel Emelyanov <xemul@...nvz.org>

diff --git a/kernel/audit.c b/kernel/audit.c
index ccc7d0e..12a0278 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -77,9 +77,13 @@ static int	audit_default;
 /* If auditing cannot proceed, audit_failure selects what happens. */
 static int	audit_failure = AUDIT_FAIL_PRINTK;
 
-/* If audit records are to be written to the netlink socket, audit_pid
- * contains the (non-zero) pid. */
+/*
+ * If audit records are to be written to the netlink socket, audit_pid
+ * contains the pid of the auditd process and audit_nlk_pid contains
+ * the pid to use to send netlink messages to that process.
+ */
 int		audit_pid;
+static int	audit_nlk_pid;
 
 /* If audit_rate_limit is non-zero, limit the rate of sending audit records
  * to that number per second.  This prevents DoS attacks, but results in
@@ -349,7 +353,7 @@ static int kauditd_thread(void *dummy)
 		wake_up(&audit_backlog_wait);
 		if (skb) {
 			if (audit_pid) {
-				int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
+				int err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
 				if (err < 0) {
 					BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
 					printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
@@ -626,6 +630,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
 							sid, 1);
 
 			audit_pid = new_pid;
+			audit_nlk_pid = NETLINK_CB(skb).pid;
 		}
 		if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
 			err = audit_set_rate_limit(status_get->rate_limit,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ