| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Dec 2015 10:46:08 -0500 From: Richard Guy Briggs <rgb@...hat.com> To: Steve Grubb <sgrubb@...hat.com> Cc: Paul Moore <pmoore@...hat.com>, linux-audit@...hat.com, linux-kernel@...r.kernel.org, eparis@...hat.com, v.rathor@...il.com, ctcard@...mail.com Subject: Re: [PATCH V3 1/2] audit: stop an old auditd being starved out by a new auditd On 15/12/22, Steve Grubb wrote: > On Tuesday, December 22, 2015 09:24:56 AM Paul Moore wrote: > > On Tuesday, December 22, 2015 04:03:06 AM Richard Guy Briggs wrote: > > > Nothing prevents a new auditd starting up and replacing a valid > > > audit_pid when an old auditd is still running, effectively starving out > > > the old auditd since audit_pid no longer points to the old valid auditd. > > > > > > If no message to auditd has been attempted since auditd died unnaturally > > > or got killed, audit_pid will still indicate it is alive. There isn't > > > an easy way to detect if an old auditd is still running on the existing > > > audit_pid other than attempting to send a message to see if it fails. > > > An -ECONNREFUSED almost certainly means it disappeared and can be > > > replaced. Other errors are not so straightforward and may indicate > > > transient problems that will resolve themselves and the old auditd will > > > recover. Yet others will likely need manual intervention for which a > > > new auditd will not solve the problem. > > > > > > Send a new message type (AUDIT_REPLACE) to the old auditd containing a > > > u32 with the PID of the new auditd. If the audit replace message > > > succeeds (or doesn't fail with certainty), fail to register the new > > > auditd and return an error (-EEXIST). > > > > > > This is expected to make the patch preventing an old auditd orphaning a > > > new auditd redundant. > > > > > > V3: Switch audit message type from 1000 to 1300 block. > > > > > > Signed-off-by: Richard Guy Briggs <rgb@...hat.com> > > > --- > > > > > > include/uapi/linux/audit.h | 1 + > > > kernel/audit.c | 16 +++++++++++++++- > > > 2 files changed, 16 insertions(+), 1 deletions(-) > > > > > > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > > > index 843540c..d820aa9 100644 > > > --- a/include/uapi/linux/audit.h > > > +++ b/include/uapi/linux/audit.h > > > @@ -110,6 +110,7 @@ > > > > > > #define AUDIT_SECCOMP 1326 /* Secure Computing event */ > > > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */ > > > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes > > > > */ > > > > > +#define AUDIT_REPLACE 1329 /* Replace auditd if this packet... > > > > Steve, are you okay with this record number? > > Yes. Just wondering what to do with the event. There's a u32 in it with the pid of the process trying to hijack/replace the one the kernel thinks still exists, so it is worth recording that information, I think, if the old auditd actually receives this message. > -Steve - RGB -- Richard Guy Briggs <rbriggs@...hat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists