4:48 p.m.
Hi,
I'm still working on some bugs that I found over the weekend for libaudit. I
modified pam and passwd to log events to the audit netlink connection. As a
result, I ran into a problem. The problem is probably best illustrated by
showing in auditctl.c how to reproduce it.
If you open auditctl.c, look for reset_vars(). In that function is
audit_open(). Add a second call to audit_open so that it looks like this:
static int reset_vars(void)
{
list_requested = 0;
syscalladded = 0;
add = 0;
del = 0;
action = 0;
memset(&rule, 0, sizeof(rule));
audit_open(); // this is added. we don't care what the return is.
if ((fd = audit_open()) < 0) {
fprintf(stderr, "Cannot open netlink audit socket\n");
return 1;
}
return 0;
}
What this does is makes the application open 2 netlink connections to the
audit system. Compile it and try ./auditctl -s Using strace this is what I
get (with my annotations):
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK,
{rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
_sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfec898c, 31, (nil), 0}) = 0
socket(PF_NETLINK, SOCK_RAW, 9) = 3
<- first open ->
bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
socket(PF_NETLINK, SOCK_RAW, 9) = 4
<- second open ->
bind(4, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
sendto(4, "\20\0\0\0\350\3\1\0gE\213k\0\0\0\0", 16, 0, {sa_family=AF_NETLINK,
pid=0, groups=00000000}, 12) = 16
<- send request , now get answer ->
recvfrom(4, 0xbfec7ed0, 1216, 64, 0xbfec7e60, 0xbfec7e5c) = -1 EAGAIN
(Resource temporarily unavailable) write(2, "Error receiving netlink packet
("..., 65Error receiving netlink packet (Resource temporarily unavailable)) =
65 write(2, "\n", 1
) = 1
<- error? ->
nanosleep({0, 100000000}, NULL) = 0
recvfrom(4, 0xbfec7ed0, 1216, 64, 0xbfec7e60, 0xbfec7e5c) = -1 EAGAIN
(Resource temporarily unavailable)
write(2, "Error receiving netlink packet ("..., 65Error receiving netlink
packet (Resource temporarily unavailable)) = 65
write(2, "\n", 1
<- error? ->
As you can see it scrolls messages because you get EAGAIN returned. This is a
real problem right now and I'm not sure how best to solve it short of making
a request, closing the descriptor, and re-open it for each communication to
the kernel.
What happens in real life is that passwd is going to log some data to the
audit system and opens a socket, then it collects the passwords, if
everything is OK, it passes the passwords to pam for authentication token
update. Pam decides that it needs to do some logging of its own and opens
descriptors to the audit system. They fail like above, EAGAIN.
Does any of you kernel hackers know why apps are limited to 1 netlink socket
connection? Can someone else verify the problem?
I think I can fix the problem by constantly closing and opening connections,
but that is ugly and not efficient. This "bug/feature" is holding up the
release of the next version of audit and patched trusted programs.
Thanks,
-Steve Grubb
6:08 p.m.
On Mon, 28 Feb 2005 17:48:28 -0500, Steve Grubb <sgrubb(a)redhat.com> wrote:
<snip>
What happens in real life is that passwd is going to log some data to the
audit system and opens a socket, then it collects the passwords, if
everything is OK, it passes the passwords to pam for authentication token
update. Pam decides that it needs to do some logging of its own and opens
descriptors to the audit system. They fail like above, EAGAIN.
Does any of you kernel hackers know why apps are limited to 1 netlink socket
connection? Can someone else verify the problem?
I think I can fix the problem by constantly closing and opening connections,
but that is ugly and not efficient. This "bug/feature" is holding up the
release of the next version of audit and patched trusted programs.
Though I don't know what's going on here, you could also just share
auditd's netlink connection and have trusted programs talk to auditd
(ie: passwd says to auditd, "Hey auditd, send this message to the
kernelm, thanks") rather then opening/closing the netlink connection
repeatedly. It's probably a bad idea for various reasons, though --
added complexity to auditd being one.
--
- Timothy R. Chavez
7:36 p.m.
On Monday 28 February 2005 19:08, Timothy R. Chavez wrote:
Though I don't know what's going on here,
But can you / anyone confirm the problem? I just want to make sure its not my
setup.
you could also just share auditd's netlink connection and have
trusted
programs talk to auditd
I don't even want to go there....added complexity, denial of service,
credential checking, etc. I'd rather spend time figuring out what's wrong in
the kernel or just opening and closing connections.
-Steve
8:43 p.m.
* Steve Grubb (sgrubb(a)redhat.com) wrote:
On Monday 28 February 2005 19:08, Timothy R. Chavez wrote:
> Though I don't know what's going on here,
But can you / anyone confirm the problem? I just want to make sure its not my
setup.
I can, I think the problem it's sending to the wrong socket (i.e. the
first one bound). It's not all that clear that you want to bind (esp.
with pid = 0) anyway. Short-term fix may be to eliminate the bind() or
make another wrapper w/out bind(). This won't work if you ever have two
pending sendto()'s though. Since there's an implicit bind there...
> you could also just share auditd's netlink connection and
have trusted
> programs talk to auditd
I don't even want to go there....added complexity, denial of service,
credential checking, etc. I'd rather spend time figuring out what's wrong in
the kernel or just opening and closing connections.
Plus, it's not the problem. The issue is not that auditd has a socket
open as well as the auditctl program. The issue is 100% confined to the
single instance of audtictl which did more than 1 bind().
Steve, can you see if this fixes it up for you?
thanks,
-chris
--
Send audit repsonse to socket which request came from, rather than pid
that request came from.
Signed-off-by: Chris Wright <chrisw(a)osdl.org>
===== kernel/audit.c 1.9 vs edited =====
--- 1.9/kernel/audit.c 2005-01-30 22:33:47 -08:00
+++ edited/kernel/audit.c 2005-02-28 18:34:47 -08:00
@@ -360,7 +360,7 @@ static int audit_receive_msg(struct sk_b
status_set.backlog_limit = audit_backlog_limit;
status_set.lost = atomic_read(&audit_lost);
status_set.backlog = atomic_read(&audit_backlog);
- audit_send_reply(pid, seq, AUDIT_GET, 0, 0,
+ audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
&status_set, sizeof(status_set));
break;
case AUDIT_SET:
@@ -407,8 +407,8 @@ static int audit_receive_msg(struct sk_b
/* fallthrough */
case AUDIT_LIST:
#ifdef CONFIG_AUDITSYSCALL
- err = audit_receive_filter(nlh->nlmsg_type, pid, uid, seq,
- data);
+ err = audit_receive_filter(nlh->nlmsg_type, NETLINK_CB(skb).pid,
+ uid, seq, data);
#else
err = -EOPNOTSUPP;
#endif
10:28 p.m.
Ok, I tore myself away from American Idol and spent some time on this.
I can also confirm the problem Steve reported on a vanilla 2.6.10
kernel. I then added Chris's changes to the same kernel -- seems to
work properly now -- I've already fixed the auditfs piece to use
NETLINK_CB(skb).pid. That'll be in patch #5, update 2.
--
Timothy R. Chavez
8:59 a.m.
On Monday 28 February 2005 21:43, Chris Wright wrote:
It's not all that clear that you want to bind (esp. with pid =
0)
anyway.
Because netlink is an IPC mechanism, you must bind with nl_pid 0 to make sure
you are talking to the kernel. The kernel code should only interpret packets
that have nl_pid set to 0. Any other packets should be discarded perhaps with
an error to make sure there's no impostors.
Steve, can you see if this fixes it up for you?
David is building a new kernel for everyone, I'll re-test when its available.
Thanks,
-Steve
11:38 a.m.
* Steve Grubb (sgrubb(a)redhat.com) wrote:
On Tuesday 01 March 2005 09:59, Steve Grubb wrote:
> David is building a new kernel for everyone, I'll re-test when its
> available.
I just re-tested using the new kernel and it works fine. The netlink patch
should probably be sent upstream.
Great, I'll push it up.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
12:04 p.m.
* David Woodhouse (dwmw2(a)infradead.org) wrote:
On Tue, 2005-03-01 at 09:38 -0800, Chris Wright wrote:
> Great, I'll push it up.
Send me a SSHv1 public key and you can put it into the linux-audit BK
tree, from which Andrew will automatically pull it.
Ah, good idea, will do (have to run to another meeting now).
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
11:38 a.m.
* Steve Grubb (sgrubb(a)redhat.com) wrote:
On Monday 28 February 2005 21:43, Chris Wright wrote:
> It's not all that clear that you want to bind (esp. with pid = 0)
> anyway.
Because netlink is an IPC mechanism, you must bind with nl_pid 0 to make sure
you are talking to the kernel. The kernel code should only interpret packets
that have nl_pid set to 0. Any other packets should be discarded perhaps with
an error to make sure there's no impostors.
I agree for sending or connecting (destination pid), but for binding,
it's effectively a no-op, same as implicit bind that happens with plain
old sendmsg.
> Steve, can you see if this fixes it up for you?
David is building a new kernel for everyone, I'll re-test when its available.
Nice, thanks.
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
7244
days inactive
7245
days old
linux-audit@lists.linux-audit.osci.io
10 comments
4 participants
participants (4)
-
Chris Wright -
David Woodhouse -
Steve Grubb -
Timothy R. Chavez