[RFC PATCH] audit: make sure we never skip the multicast broadcast
Richard Guy Briggs
rgb at redhat.com
Thu Jun 15 16:11:46 UTC 2017
On 2017-06-15 11:29, Paul Moore wrote:
> From: Paul Moore <paul at paul-moore.com>
>
> When the auditd connection is reset, either intentionally or due to
> a failure, any records that were in the main backlog queue would not
> be sent in a multicast broadcast. This patch fixes this problem by
> not flushing the main backlog queue on a connection reset, the main
> kauditd_thread() will take care of that normally.
>
> Resolves: https://github.com/linux-audit/audit-kernel/issues/41
> Signed-off-by: Paul Moore <paul at paul-moore.com>
Looks good to me.
Reviewed-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> kernel/audit.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index e1e2b3abfb93..7cad70214b81 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -605,11 +605,10 @@ static void auditd_reset(const struct auditd_connection *ac)
> if (ac_old)
> call_rcu(&ac_old->rcu, auditd_conn_free);
>
> - /* flush all of the main and retry queues to the hold queue */
> + /* flush the retry queue to the hold queue, but don't touch the main
> + * queue since we need to process that normally for multicast */
> while ((skb = skb_dequeue(&audit_retry_queue)))
> kauditd_hold_skb(skb);
> - while ((skb = skb_dequeue(&audit_queue)))
> - kauditd_hold_skb(skb);
> }
>
> /**
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list