[PATCH] Audit: netlink socket can be auto-bound to pid other than current->pid
Eric Paris
eparis at parisplace.org
Tue Mar 18 23:35:08 UTC 2008
On 3/18/08, Eric Paris <eparis at parisplace.org> wrote:
> On 3/18/08, Pavel Emelyanov <xemul at openvz.org> wrote:
> > @@ -626,6 +628,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> > sid, 1);
> >
> > audit_pid = new_pid;
> > + audit_nlk_pid = NETLINK_CB(skb).pid;
> > }
> > if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
> > err = audit_set_rate_limit(status_get->rate_limit,
Shouldn't the above be:
if (audit_pid)
audit_nlk_pid = NETLINK_CB(skb).pid;
else
audit_nlk_pid = 0;
otherwise I don't see how you can cleanly stop the userspace auditd.....
More information about the Linux-audit
mailing list