[PATCH v2] audit: Allow auditd to set pid to 0 to end auditing

Paul Moore paul at paul-moore.com
Thu Oct 19 19:39:48 UTC 2017 

On Tue, Oct 17, 2017 at 6:29 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> The API to end auditing has historically been for auditd to set the
> pid to 0. This patch restores that functionality.
>
> See: https://github.com/linux-audit/audit-kernel/issues/69
>
> Reviewed-by: Richard Guy Briggs <rgb at redhat.com>
> Signed-off-by: Steve Grubb <sgrubb at redhat.com>
> ---
>  kernel/audit.c | 29 ++++++++++++++++-------------
>  1 file changed, 16 insertions(+), 13 deletions(-)

As a FYI, I'm not sure how you are sending patches, but however you
are doing it appears to mangling the patch with word wrap.  Because
I'm a nice guy, I'm going to go ahead and fix this up (apply by hand),
but in the future you'll need to make that the patches can be applied
straight from your email.

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 6dd556931739..f6d5fc1d8eb4 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1197,25 +1197,28 @@ static int audit_receive_msg(struct sk_buff *skb,
> struct nlmsghdr *nlh)
>                         pid_t auditd_pid;
>                         struct pid *req_pid = task_tgid(current);
>
> -                       /* sanity check - PID values must match */
> -                       if (new_pid != pid_vnr(req_pid))
> +                       /* Sanity check - PID values must match. Setting
> +                        * pid to 0 is how auditd ends auditing. */
> +                       if (new_pid && (new_pid != pid_vnr(req_pid)))
>                                 return -EINVAL;
>
>                         /* test the auditd connection */
>                         audit_replace(req_pid);
>
>                         auditd_pid = auditd_pid_vnr();
> -                       /* only the current auditd can unregister itself */
> -                       if ((!new_pid) && (new_pid != auditd_pid)) {
> -                               audit_log_config_change("audit_pid", new_pid,
> -                                                       auditd_pid, 0);
> -                               return -EACCES;
> -                       }
> -                       /* replacing a healthy auditd is not allowed */
> -                       if (auditd_pid && new_pid) {
> -                               audit_log_config_change("audit_pid", new_pid,
> -                                                       auditd_pid, 0);
> -                               return -EEXIST;
> +                       if (auditd_pid) {
> +                               /* replacing a healthy auditd is not allowed */
> +                               if (new_pid) {
> +                                       audit_log_config_change("audit_pid",
> +                                                       new_pid, auditd_pid, 0);
> +                                       return -EEXIST;
> +                               }
> +                               /* only current auditd can unregister itself */
> +                               if (pid_vnr(req_pid) != auditd_pid) {
> +                                       audit_log_config_change("audit_pid",
> +                                                       new_pid, auditd_pid, 0);
> +                                       return -EACCES;
> +                               }
>                         }
>
>                         if (new_pid) {
> --
> 2.13.6
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list