audit 1.7 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Improve input error handling in audispd
- Improve end of event detection in auparse library
- Improve handling of abstract namespaces
- Add test mode for prelude plugin
- Handle user space avcs in prelude plugin
- Audit event serial number now recorded in idmef alert
- Add --just-one option to ausearch
- Fix watched account login detection for some failed login attempts
- Couple fixups in audit logging functions (Miloslav Trmac)
- Add support for virtual keys
- Added new type for user space MAC policy load events
- auparse_find_field_next was not iterating correctly, fixed it
- Add idmef alerts for access or execution of watched file
- Fix buffer overflow in audit_log_user_command
- Add basic remote logging plugin - only sends & no flow control
- Update ausearch with interpret fixes from auparse
This release has a lot of changes. There are a lot of bugs fixed in this
update. Besides pure bug fixing, this release adds a test mode for the
audisp-prelude plugin. It can now take a file input to stdin and output to
stdout what it would like to do.
The audisp-prelude plugin also has a big change in the configuration file. It
now takes separate enablers and actions to decide if a certain detection
should be run and what to do if something is found. Right now, the only
action is to send an idmef event. But this allows for future actions that can
protect the machine.
IDMEF events were added for watched files or execution of watched programs.
This requires a specific key format to work.
Ausearch was given a new option, --just-one. This tells it to emit just one
event during the search. This is handy if you are searching for a specific
event by its serial number and time.
Virtual key support was added throughout the utilities and libraries. With it,
admins can now express more than one key in an auditctl rule. The size limit
was left at 32, but we'll bump it up when kernel 2.6.26 is starting to take
patches.
A buffer overflow in audit_log_user_command was fixed. This was preventing
sudo from running when it had a large number of arguments. For now, we are
truncating the event's argument list. But I'll try to work something out
around continuation records so that it can be fully pieced together.
Lastly, a remote logging plugin makes its debut. Right now it sends only and
has no flow control. I made a quick and dirty program that runs off of xinetd
that just appends records to a file to verify it working. Anyone that wants
to use it will need to do nearly the same at this point. The next release
will include a recieve capability with no flow control. And then in another
release after that I'll add the flow control between sender and receiver.
Please let me know if you run across any problems with this release.
-Steve
16 years, 8 months
[PATCH] Audit: save audit_backlog_limit audit messages in case auditd comes back
by Eric Paris
This patch causes the kernel audit subsystem to store up to
audit_backlog_limit messages for use by auditd if it ever appears
sometime in the future in userspace. This is useful to collect audit
messages during bootup and even when auditd is stopped. This is NOT a
reliable mechanism, it does not ever call audit_panic, nor should it.
The messages are still sent to printk/syslog as usual and if too many
messages appear they will be silently discarded.
If auditd never starts the kernel will hold by default up to 64 messages
in memory forever.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
[root@dhcp231-146 ~]# echo > /var/log/audit/audit.log
[root@dhcp231-146 ~]# service auditd stop
Stopping auditd: [ OK ]
[root@dhcp231-146 ~]# load_policy
[root@dhcp231-146 ~]# cat /var/log/audit/audit.log
type=DAEMON_END msg=audit(1206653123.111:2388): auditd normal halt, sending auid=0 pid=6006 subj=unconfined_u:system_r:initrc_t:s0 res=success
[root@dhcp231-146 ~]# service auditd start
Starting auditd: [ OK ]
[root@dhcp231-146 ~]# cat /var/log/audit/audit.log
type=DAEMON_END msg=audit(1206653123.111:2388): auditd normal halt, sending auid=0 pid=6006 subj=unconfined_u:system_r:initrc_t:s0 res=success
type=DAEMON_START msg=audit(1206653139.737:8211): auditd start, ver=1.6.9 format=raw kernel=2.6.25-rc7 auid=0 pid=6031 res=success
type=CONFIG_CHANGE msg=audit(1206653123.154:26): audit_pid=0 old=1789 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
type=MAC_POLICY_LOAD msg=audit(1206653127.614:27): policy loaded auid=0 ses=2
type=SYSCALL msg=audit(1206653127.614:27): arch=c000003e syscall=1 success=yes exit=3758310 a0=4 a1=7f25dd44d000 a2=3958e6 a3=7fffeae26ee0 items=0 ppid=5418 pid=6019 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=USER_AVC msg=audit(1206653130.800:28): user pid=1803 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'
type=CONFIG_CHANGE msg=audit(1206653139.738:29): audit_pid=6031 old=0 by auid=0 subj=unconfined_u:system_r:auditd_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1206653139.839:30): audit_enabled=1 old=1 by auid=0 subj=unconfined_u:system_r:auditd_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1206653139.939:31): audit_backlog_limit=8192 old=8192 by auid=0 subj=unconfined_u:system_r:auditctl_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1206653139.940:32): audit_failure=1 old=1 by auid=0 subj=unconfined_u:system_r:auditctl_t:s0 res=1
kernel/audit.c | 89 ++++++++++++++++++++++++++++++++++++++++++-------------
1 files changed, 68 insertions(+), 21 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index be55cb5..aa2ce91 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -127,6 +127,8 @@ static int audit_freelist_count;
static LIST_HEAD(audit_freelist);
static struct sk_buff_head audit_skb_queue;
+/* queue of skbs to send to auditd when/if it comes back */
+static struct sk_buff_head audit_skb_hold_queue;
static struct task_struct *kauditd_task;
static DECLARE_WAIT_QUEUE_HEAD(kauditd_wait);
static DECLARE_WAIT_QUEUE_HEAD(audit_backlog_wait);
@@ -344,30 +346,70 @@ static int audit_set_failure(int state, uid_t loginuid, u32 sid)
loginuid, sid);
}
+/*
+ * Queue skbs to be sent to auditd when/if it comes back. These skbs should
+ * already have been sent via prink/syslog and so if these messages are dropped
+ * it is not a huge concern. This is just nice to get audit messages during
+ * boot before auditd is running or messages generated while auditd is stopped
+ */
+static void audit_hold_skb(struct sk_buff *skb)
+{
+ if (skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit)
+ skb_queue_tail(&audit_skb_hold_queue, skb);
+ else
+ kfree_skb(skb);
+}
+
+static void kauditd_send_skb(struct sk_buff *skb)
+{
+ int err;
+ /* take a reference in case we can't send it and we want to hold it */
+ skb_get(skb);
+ err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
+ if (err < 0) {
+ BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
+ printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
+ audit_log_lost("auditd dissapeared\n");
+ audit_pid = 0;
+ /* we might get lucky and get this in the next auditd */
+ audit_hold_skb(skb);
+ } else
+ /* drop the extra reference if sent ok */
+ kfree_skb(skb);
+}
+
static int kauditd_thread(void *dummy)
{
struct sk_buff *skb;
set_freezable();
while (!kthread_should_stop()) {
+ /*
+ * if auditd just started drain the queue of messages already
+ * sent to syslog/printk.
+ */
+ if (audit_pid) {
+ skb = skb_dequeue(&audit_skb_hold_queue);
+ if (unlikely(skb)) {
+ while(skb && audit_pid) {
+ kauditd_send_skb(skb);
+ skb = skb_dequeue(&audit_skb_hold_queue);
+ }
+ }
+ }
+
skb = skb_dequeue(&audit_skb_queue);
wake_up(&audit_backlog_wait);
if (skb) {
- if (audit_pid) {
- int err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
- if (err < 0) {
- BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
- printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
- audit_log_lost("auditd dissapeared\n");
- audit_pid = 0;
- }
- } else {
+ if (audit_pid)
+ kauditd_send_skb(skb);
+ else {
if (printk_ratelimit())
- printk(KERN_NOTICE "%s\n", skb->data +
- NLMSG_SPACE(0));
+ printk(KERN_NOTICE "%s\n", skb->data + NLMSG_SPACE(0));
else
audit_log_lost("printk limit exceeded\n");
- kfree_skb(skb);
+
+ audit_hold_skb(skb);
}
} else {
DECLARE_WAITQUEUE(wait, current);
@@ -877,6 +919,7 @@ static int __init audit_init(void)
audit_sock->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
skb_queue_head_init(&audit_skb_queue);
+ skb_queue_head_init(&audit_skb_hold_queue);
audit_initialized = 1;
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
@@ -1359,19 +1402,23 @@ void audit_log_end(struct audit_buffer *ab)
audit_log_lost("rate limit exceeded");
} else {
struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
+ nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
+
if (audit_pid) {
- nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
skb_queue_tail(&audit_skb_queue, ab->skb);
- ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
- } else if (nlh->nlmsg_type != AUDIT_EOE) {
- if (printk_ratelimit()) {
- printk(KERN_NOTICE "type=%d %s\n",
- nlh->nlmsg_type,
- ab->skb->data + NLMSG_SPACE(0));
- } else
- audit_log_lost("printk limit exceeded\n");
+ } else {
+ if (nlh->nlmsg_type != AUDIT_EOE) {
+ if (printk_ratelimit()) {
+ printk(KERN_NOTICE "type=%d %s\n",
+ nlh->nlmsg_type,
+ ab->skb->data + NLMSG_SPACE(0));
+ } else
+ audit_log_lost("printk limit exceeded\n");
+ }
+ audit_hold_skb(ab->skb);
}
+ ab->skb = NULL;
}
audit_buffer_free(ab);
}
16 years, 9 months
[PATCH] Audit: stop deadlock from signals under load
by Eric Paris
A deadlock is possible between kauditd and auditd under load if auditd
receives a signal. When auditd receives a signal it sends a netlink
message to the kernel asking for information about the sender of the
signal. In that same context the audit system will attempt to send a
netlink message back to the userspace auditd. If kauditd has already
filled the socket buffer (see netlink_attachskb()) auditd will now put
itself to sleep waiting for room to send the message. Since auditd is
responsible for draining that socket we have a deadlock. The fix, since
the response from the kernel does not need to be synchronous is to send
the signal information back to auditd in a separate thread. And thus
auditd can continue to drain the audit queue normally.
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/audit.c | 40 +++++++++++++++++++++++++++++++++++-----
1 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/arch/x86/boot/install.sh b/arch/x86/boot/install.sh
diff --git a/kernel/audit.c b/kernel/audit.c
index be55cb5..2951869 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -155,6 +155,11 @@ struct audit_buffer {
gfp_t gfp_mask;
};
+struct audit_reply {
+ int pid;
+ struct sk_buff *skb;
+};
+
static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
{
if (ab) {
@@ -470,6 +475,19 @@ nlmsg_failure: /* Used by NLMSG_PUT */
return NULL;
}
+static int audit_send_reply_thread(void *arg)
+{
+ struct audit_reply *reply = (struct audit_reply *)arg;
+
+ mutex_lock(&audit_cmd_mutex);
+ mutex_unlock(&audit_cmd_mutex);
+
+ /* Ignore failure. It'll only happen if the sender goes away,
+ because our timeout is set to infinite. */
+ netlink_unicast(audit_sock, reply->skb, reply->pid, 0);
+ kfree(reply);
+ return 0;
+}
/**
* audit_send_reply - send an audit reply message via netlink
* @pid: process id to send reply to
@@ -486,14 +504,26 @@ nlmsg_failure: /* Used by NLMSG_PUT */
void audit_send_reply(int pid, int seq, int type, int done, int multi,
void *payload, int size)
{
- struct sk_buff *skb;
+ struct sk_buff *skb;
+ struct task_struct *tsk;
+ struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
+ GFP_KERNEL);
+
+ if (!reply)
+ return;
+
skb = audit_make_reply(pid, seq, type, done, multi, payload, size);
if (!skb)
return;
- /* Ignore failure. It'll only happen if the sender goes away,
- because our timeout is set to infinite. */
- netlink_unicast(audit_sock, skb, pid, 0);
- return;
+
+ reply->pid = pid;
+ reply->skb = skb;
+
+ tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
+ if (IS_ERR(tsk)) {
+ kfree(reply);
+ kfree_skb(skb);
+ }
}
/*
16 years, 9 months
[RFC] Virtual Key Fields
by Steve Grubb
Hi,
Based on the discussion last week, I'd like to propose a technique of allowing
the appearance of multiple key fields without having to make changes in the
kernel. The kernel has one key field associated with each audit rule. It
doesn't look at the field's contents for anything. A patch will be submitted
for 2.6.26 kernel increasing the size of string the kernel will accept. The
kernel will still allocate the minimum memory needed to hold the string.
If the admin wants to have multiple keys that can be searched on for different
purposes, we will allow that from auditctl. A couple examples: a rule meets
more that one requirement and he/she wants to document that separately, or
there are interpretive plugins that would like some standard tagging of
rules. To do this, auditctl will support multiple -k fields.
When reading the rule, auditctl will append multiple keyfields to one another
with a non-printing separator. The value 0x01 is a good candidate since its
not likely to be used by any admin right now. Auditctl will scan each key
field and reject the key with a warning if the separator appears in a key
field. The rule will be processed normally without the key, though.
When rules are listed, auditctl will split the keys out so they appear
separately. This mimics the way the rules were written. Auditctl will also
allow listing by key in order to aid rule analysis by the admin.
Auditctl will also allow delete all rules matching a key. This will allow the
admin or a program to delete a set of rules related to just a particular key
and leave all other rules intact.
auparse will split the key fields in audit records so that multiple key fields
exist whenever it finds the separator in the key field in the event stream.
The applications using keys should iterate over the keys to examine them all
if its looking for something in particular.
Comments?
-Steve
16 years, 9 months
[RFC] programmatic IDS routing
by Steve Grubb
Hi,
In working on the IDS piece of the audit system, there are 3 detections that I
need to solve: watched files, watched execution, and making an executable. In
this particular case, an admin may have watches and several things for
archival purposes, but may want an alert if something changes in specific
files. In order for the IDS system to be able to distinguish an open of a
watched file from an open of a *special* watched file that an alert should be
sent for, I'd like to propose a standard way of alerting the IDS that this
record needs additional scrutiny.
The key field has been in all syscall records for at least 8 kernel releases,
so I think it is well established that it could be used by this point. It is
32 char's long. This is longer than what most people will ever need. What I'd
like to do is to use this field for 2 purposes. One is to continue using it
as is. The other could be to tell the IDS that this record needs review.
If a key field starts with "ids-" then we could parse it for a specific set of
uses. We need to be able to distinguish: file, exec, and mkexe. Each of these
would alert the IDS as to which alert category this fits under. Next, IDMEF
has 4 severity ratings: info, low, medium, and high. These could be shortened
to: inf, low, med, hi. This means you could tell the IDS that this is an
execution attempt that means medium severity by this, "ids-exec-med".
To continue to be able to use the key field for searching, I would propose
just adding a comma to separate the ids part from the searchable part. So,
you could do something like this: "ids-file-med,shadow-password". auditctl
can be fixed so that when it spots "ids-" in the key field, it will check
that only valid types and severities are being used. This would not affect
what auditd does in any way.
Thoughts? Comments?
-Steve
16 years, 9 months
Re: [PATCH] Audit: netlink socket can be auto-bound to pid other than current->pid
by Eric Paris
On 3/19/08, Pavel Emelyanov <xemul(a)openvz.org> wrote:
> Eric Paris wrote:
> > On 3/18/08, Pavel Emelyanov <xemul(a)openvz.org> wrote:
> >
> > Can we please just leave audit_pid as the one flag to tell us if
> > auditd is supposedly up there in userspace? Use audit_nlk_pid to send
> > messages to the right place, but leave everything else to do with
> > audit_pid alone.
>
>
> OK, point taken ;) Is that patch looks OK? If yes, I'll comment
> it properly and re-send to Andrew.
>
> The audit_nlk_pid reset to 0 is not required, since all the
> decisions are taken based on audit_pid value only.
I looks good to me. Feel free to add Acked-by: Eric Paris
<eparis(a)redhat.com> on your submission.
-Eric
>
> Signed-off-by: Pavel Emelyanov <xemul(a)openvz.org>
>
>
> diff --git a/kernel/audit.c b/kernel/audit.c
>
> index ccc7d0e..12a0278 100644
>
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
>
> @@ -77,9 +77,13 @@ static int audit_default;
>
> /* If auditing cannot proceed, audit_failure selects what happens. */
> static int audit_failure = AUDIT_FAIL_PRINTK;
>
> -/* If audit records are to be written to the netlink socket, audit_pid
>
> - * contains the (non-zero) pid. */
> +/*
> + * If audit records are to be written to the netlink socket, audit_pid
> + * contains the pid of the auditd process and audit_nlk_pid contains
> + * the pid to use to send netlink messages to that process.
> + */
> int audit_pid;
>
> +static int audit_nlk_pid;
>
>
> /* If audit_rate_limit is non-zero, limit the rate of sending audit records
>
> * to that number per second. This prevents DoS attacks, but results in
> @@ -349,7 +353,7 @@ static int kauditd_thread(void *dummy)
>
> wake_up(&audit_backlog_wait);
> if (skb) {
> if (audit_pid) {
> - int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
>
> + int err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
>
> if (err < 0) {
> BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
> printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
>
> @@ -626,6 +630,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
>
> sid, 1);
>
> audit_pid = new_pid;
> + audit_nlk_pid = NETLINK_CB(skb).pid;
> }
> if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
> err = audit_set_rate_limit(status_get->rate_limit,
>
16 years, 9 months
Re: [PATCH] Audit: netlink socket can be auto-bound to pid other than current->pid
by Eric Paris
On 3/18/08, Pavel Emelyanov <xemul(a)openvz.org> wrote:
Can we please just leave audit_pid as the one flag to tell us if
auditd is supposedly up there in userspace? Use audit_nlk_pid to send
messages to the right place, but leave everything else to do with
audit_pid alone.
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 10c4930..40b3a34 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -78,8 +78,10 @@ static int audit_default;
> /* If auditing cannot proceed, audit_failure selects what happens. */
> static int audit_failure = AUDIT_FAIL_PRINTK;
>
> -/* If audit records are to be written to the netlink socket, audit_pid
> +/* If audit records are to be written to the netlink socket, audit_nlk_pid
/* If audit records are to be written to the netlink socket, audit_pid
contain the pid of the auditd process and audit_nlk_pid will contain
the pid to use to send netlink messages to that process. */
> * contains the (non-zero) pid. */
> +static int audit_nlk_pid;
> +
> int audit_pid;
>
> /* If audit_rate_limit is non-zero, limit the rate of sending audit records
> @@ -349,13 +351,13 @@ static int kauditd_thread(void *dummy)
> skb = skb_dequeue(&audit_skb_queue);
> wake_up(&audit_backlog_wait);
> if (skb) {
> - if (audit_pid) {
> - int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
> + if (audit_nlk_pid) {
unneeded change
> + int err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
good.
> if (err < 0) {
> BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
> - printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
> + printk(KERN_ERR "audit: *NO* daemon at audit_nlk_pid=%d\n", audit_nlk_pid);
userspace is never going to care about audit_nlk_pid, its meaningless
at that level. This message should continue to use audit_pid.
> audit_log_lost("auditd dissapeared\n");
> - audit_pid = 0;
We still need to 0 audit_pid otherwise all of the tests which use it
are bogus (aka things like audit_panic and audit_filter_syscall you
mentioned)
> + audit_nlk_pid = 0;
> }
> } else {
> if (printk_ratelimit())
> @@ -626,6 +628,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
> sid, 1);
>
> audit_pid = new_pid;
> + audit_nlk_pid = NETLINK_CB(skb).pid;
> }
> if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
> err = audit_set_rate_limit(status_get->rate_limit,
> @@ -1354,7 +1357,7 @@ void audit_log_end(struct audit_buffer *ab)
> audit_log_lost("rate limit exceeded");
> } else {
> struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
> - if (audit_pid) {
> + if (audit_nlk_pid) {
don't need this if we zero audit_pid.
> nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
> skb_queue_tail(&audit_skb_queue, ab->skb);
> ab->skb = NULL;
>
16 years, 9 months
Re: Audit vs netlink interaction problem
by Eric Paris
It looks reasonable to me. If you can send a tested patch with a good
description to linux-audit(a)redhat.com I can work it into mainline.
-Eric
On 3/17/08, Pavel Emelyanov <xemul(a)openvz.org> wrote:
> Thomas Graf wrote:
> > * Thomas Graf <tgraf(a)suug.ch> 2008-03-14 19:29
> >> * Pavel Emelyanov <xemul(a)openvz.org> 2008-03-14 20:05
> >>> Hmmm... I'm afraid, that this can break the audit filtering and signal
> >>> auditing. I haven't yet looked deep into it, but it compares the
> >>> task->tgid with this audit_pid for different purposes. If audit_pid
> >>> changes this code will be broken.
> >> OK, then both pids have to be stored. audit_pid remains as-is but is
> >> no longer used as destination netlink pid. A second pid is stored and
> >> updated whenever a netlink message is received from userspace.
> >
> > The following patch represents what I mean. Untested!
>
>
> Looks great, all the more so I created very similar patch.
> David, can we have this in mainline some day?
>
> Thanks,
> Pavel
>
>
> > Index: net-2.6.26/kernel/audit.c
> > ===================================================================
> > --- net-2.6.26.orig/kernel/audit.c 2008-03-14 19:31:53.000000000 +0100
> > +++ net-2.6.26/kernel/audit.c 2008-03-14 19:38:35.000000000 +0100
> > @@ -82,6 +82,9 @@
> > * contains the (non-zero) pid. */
> > int audit_pid;
> >
> > +/* Actual netlink pid of the userspace process */
> > +static int audit_nlk_pid;
> > +
> > /* If audit_rate_limit is non-zero, limit the rate of sending audit records
> > * to that number per second. This prevents DoS attacks, but results in
> > * audit records being dropped. */
> > @@ -347,12 +350,12 @@
> > skb = skb_dequeue(&audit_skb_queue);
> > wake_up(&audit_backlog_wait);
> > if (skb) {
> > - if (audit_pid) {
> > - int err = netlink_unicast(audit_sock, skb, audit_pid, 0);
> > + if (audit_nlk_pid) {
> > + int err = netlink_unicast(audit_sock, skb, audit_nlk_pid, 0);
> > if (err < 0) {
> > BUG_ON(err != -ECONNREFUSED); /* Shoudn't happen */
> > - printk(KERN_ERR "audit: *NO* daemon at audit_pid=%d\n", audit_pid);
> > - audit_pid = 0;
> > + printk(KERN_ERR "audit: *NO* daemon at audit_nlk_pid=%d\n", audit_nlk_pid);
> > + audit_nlk_pid = 0;
> > }
> > } else {
> > if (printk_ratelimit())
> > @@ -623,6 +626,12 @@
> > sid, 1);
> >
> > audit_pid = new_pid;
> > +
> > + /*
> > + * Netlink pid is only updated here to avoid overwrites
> > + * from potential processes only querying the interface.
> > + */
> > + audit_nlk_pid = NETLINK_CB(skb).pid;
> > }
> > if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
> > err = audit_set_rate_limit(status_get->rate_limit,
> > @@ -1350,7 +1359,7 @@
> > if (!audit_rate_check()) {
> > audit_log_lost("rate limit exceeded");
> > } else {
> > - if (audit_pid) {
> > + if (audit_nlk_pid) {
> > struct nlmsghdr *nlh = nlmsg_hdr(ab->skb);
> > nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
> > skb_queue_tail(&audit_skb_queue, ab->skb);
> >
>
> --
>
> To unsubscribe from this list: send the line "unsubscribe netdev" in
>
> the body of a message to majordomo(a)vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
16 years, 9 months
