Re: netlink ACK handling in audit_set_pid()
On Thursday, November 9, 2023 12:09:15 PM EST Steve Grubb wrote:
> I was hoping some other people working on audit would step up.
>
> One idea I have not tested is to make a "command and control" fd that
would
> be used for enabling the audit system and setting the pid. This would be
> separate from the data fd which processes events.
Looks like we lost that ability a couple years ago when missing auditd
detection was added. The fd that sets the pid is the one that gets all the
events even if there is another fd available that belongs to the same pid.
Yes, I agree that a separate socket for control vs. messages would be
the best solution, and I briefly discussed this with the kernel
maintainer too. However, as you point out this is not possible today.
I think we should look at improving what we currently have in the
meantime - what do you think about the idea of tolerating ENOBUFS?
- Chris
Attachments:
- attachment.html (text/html — 1.4 KB)