audit_pid with multiple userspace auditd processes
Linda Knippers
linda.knippers at hp.com
Wed Jan 7 22:04:35 UTC 2009
Eric Paris wrote:
> So I noticed today something strange, but maybe not wrong?
>
> lets say userspace starts 2 copies of auditd.
Will a second auditd actually start? Seems like it shouldn't.
> Then they kill the first
> copy. The kernel at that point thinks there is no userspace auditd
> running and will instead send things to dmesg
>
> We could fix it by changing the handling in audit_receive_msg to reject
> setting the audit_pid to 0 if the current audit_nlk_pid !=
> NETLINK_CB(skb).pid.
>
> It's not a big deal, maybe we just call results of audit with multiple
> userspace auditd's running at the same time a undefined and not care.
I think its something to be avoided. Can the 2nd auditd exit if
there already is one?
-- ljk
>
> Anyone think that's worth a patch?
>
> -Eric
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list