Re: netlink ACK handling in audit_set_pid()
On Tuesday, November 14, 2023 5:31:55 AM EST Chris Riches wrote:
Tangentially, did you have a chance to look at the wmode=WAIT_YES
oddity
I pointed out in my original email?
Only briefly. That code was written in 2005 when things were very different.
It was common to run into distributions that hadn't enabled audit in the
kernel but pam and shadow-utils they were shipping were audit aware. So, that
code had to handle transmission error. Nowadays, audit is enabled on all
major distros. But the code has not been touched since probably 2006.
It might need some minor touch ups. On shutdown, we don't care about the
events, we just need to set the pid to 0 to stop the flow. On startup, it's
more important to save the events since they may be of interest. I may look
at that case some time.
-Steve