| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Dec 2015 09:56:17 -0500 From: Steve Grubb <sgrubb@...hat.com> To: Paul Moore <pmoore@...hat.com> Cc: Richard Guy Briggs <rgb@...hat.com>, linux-audit@...hat.com, linux-kernel@...r.kernel.org, eparis@...hat.com, v.rathor@...il.com, ctcard@...mail.com Subject: Re: [PATCH V3 1/2] audit: stop an old auditd being starved out by a new auditd On Tuesday, December 22, 2015 09:24:56 AM Paul Moore wrote: > On Tuesday, December 22, 2015 04:03:06 AM Richard Guy Briggs wrote: > > Nothing prevents a new auditd starting up and replacing a valid > > audit_pid when an old auditd is still running, effectively starving out > > the old auditd since audit_pid no longer points to the old valid auditd. > > > > If no message to auditd has been attempted since auditd died unnaturally > > or got killed, audit_pid will still indicate it is alive. There isn't > > an easy way to detect if an old auditd is still running on the existing > > audit_pid other than attempting to send a message to see if it fails. > > An -ECONNREFUSED almost certainly means it disappeared and can be > > replaced. Other errors are not so straightforward and may indicate > > transient problems that will resolve themselves and the old auditd will > > recover. Yet others will likely need manual intervention for which a > > new auditd will not solve the problem. > > > > Send a new message type (AUDIT_REPLACE) to the old auditd containing a > > u32 with the PID of the new auditd. If the audit replace message > > succeeds (or doesn't fail with certainty), fail to register the new > > auditd and return an error (-EEXIST). > > > > This is expected to make the patch preventing an old auditd orphaning a > > new auditd redundant. > > > > V3: Switch audit message type from 1000 to 1300 block. > > > > Signed-off-by: Richard Guy Briggs <rgb@...hat.com> > > --- > > > > include/uapi/linux/audit.h | 1 + > > kernel/audit.c | 16 +++++++++++++++- > > 2 files changed, 16 insertions(+), 1 deletions(-) > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > index 843540c..d820aa9 100644 > > --- a/include/uapi/linux/audit.h > > +++ b/include/uapi/linux/audit.h > > @@ -110,6 +110,7 @@ > > > > #define AUDIT_SECCOMP 1326 /* Secure Computing event */ > > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */ > > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes > > */ > > > +#define AUDIT_REPLACE 1329 /* Replace auditd if this packet... > > Steve, are you okay with this record number? Yes. Just wondering what to do with the event. -Steve -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists