Re: [PATCH] fixup! audit: try harder to send to auditd upon netlink failure
On 15/09/18, Steve Grubb wrote:
On Fri, 18 Sep 2015 03:52:43 -0400
Richard Guy Briggs <rgb(a)redhat.com> wrote:
> A bug was introduced by "audit: try harder to send to auditd upon
> netlink failure", caused by incomplete code and a function that
> expects a string and does not accept a format plus arguments. Create
> a temporary string variable to assemble the output text. It could be
> merged as a fixup if it is not yet upstream.
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/audit.c | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 18cdfe2..60913e6 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -420,7 +420,10 @@ restart:
> if (audit_pid) {
> if (err == -ECONNREFUSED || err == -EPERM
> || ++attempts >= AUDITD_RETRIES) {
> - audit_log_lost("audit_pid=%d reset");
> + char s[32];
> +
> + sprintf(s, "audit_pid=%d reset",
> audit_pid);
We normally use name=value for everything important. Reset by itself
will get dropped by auparse. action=reset (or something similar) would
be better.
This is sent to the system log when we can't queue it to audit, so audit
never sees this message. None of the other audit_log_lost messages are
formatted in the audit style.
-Steve
> + audit_log_lost(s);
> audit_pid = 0;
> audit_sock = NULL;
> } else {
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545