2:52 a.m.
A bug was introduced by "audit: try harder to send to auditd upon
netlink failure", caused by incomplete code and a function that expects
a string and does not accept a format plus arguments. Create a
temporary string variable to assemble the output text. It could be
merged as a fixup if it is not yet upstream.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 18cdfe2..60913e6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -420,7 +420,10 @@ restart:
if (audit_pid) {
if (err == -ECONNREFUSED || err == -EPERM
|| ++attempts >= AUDITD_RETRIES) {
- audit_log_lost("audit_pid=%d reset");
+ char s[32];
+
+ sprintf(s, "audit_pid=%d reset", audit_pid);
+ audit_log_lost(s);
audit_pid = 0;
audit_sock = NULL;
} else {
--
1.7.1
4:13 a.m.
On Fri, 18 Sep 2015 03:52:43 -0400
Richard Guy Briggs <rgb(a)redhat.com> wrote:
A bug was introduced by "audit: try harder to send to auditd
upon
netlink failure", caused by incomplete code and a function that
expects a string and does not accept a format plus arguments. Create
a temporary string variable to assemble the output text. It could be
merged as a fixup if it is not yet upstream.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 18cdfe2..60913e6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -420,7 +420,10 @@ restart:
if (audit_pid) {
if (err == -ECONNREFUSED || err == -EPERM
|| ++attempts >= AUDITD_RETRIES) {
- audit_log_lost("audit_pid=%d reset");
+ char s[32];
+
+ sprintf(s, "audit_pid=%d reset",
audit_pid);
We normally use name=value for everything important. Reset by itself
will get dropped by auparse. action=reset (or something similar) would
be better.
-Steve
+ audit_log_lost(s);
audit_pid = 0;
audit_sock = NULL;
} else {
5:02 a.m.
On 15/09/18, Steve Grubb wrote:
On Fri, 18 Sep 2015 03:52:43 -0400
Richard Guy Briggs <rgb(a)redhat.com> wrote:
> A bug was introduced by "audit: try harder to send to auditd upon
> netlink failure", caused by incomplete code and a function that
> expects a string and does not accept a format plus arguments. Create
> a temporary string variable to assemble the output text. It could be
> merged as a fixup if it is not yet upstream.
>
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/audit.c | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 18cdfe2..60913e6 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -420,7 +420,10 @@ restart:
> if (audit_pid) {
> if (err == -ECONNREFUSED || err == -EPERM
> || ++attempts >= AUDITD_RETRIES) {
> - audit_log_lost("audit_pid=%d reset");
> + char s[32];
> +
> + sprintf(s, "audit_pid=%d reset",
> audit_pid);
We normally use name=value for everything important. Reset by itself
will get dropped by auparse. action=reset (or something similar) would
be better.
This is sent to the system log when we can't queue it to audit, so audit
never sees this message. None of the other audit_log_lost messages are
formatted in the audit style.
-Steve
> + audit_log_lost(s);
> audit_pid = 0;
> audit_sock = NULL;
> } else {
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
3:33 p.m.
On Friday, September 18, 2015 03:52:43 AM Richard Guy Briggs wrote:
A bug was introduced by "audit: try harder to send to auditd
upon
netlink failure", caused by incomplete code and a function that expects
a string and does not accept a format plus arguments. Create a
temporary string variable to assemble the output text. It could be
merged as a fixup if it is not yet upstream.
Ungh, that's embarrassing; I really should have caught that in review. Sigh.
At least it shouldn't cause anything to blow up, just a less than helpful
message.
I pulled the original patch from linux-audit#next just now, I'll re-add it
once we sort this out.
Comments below ...
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
kernel/audit.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 18cdfe2..60913e6 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -420,7 +420,10 @@ restart:
if (audit_pid) {
if (err == -ECONNREFUSED || err == -EPERM
|| ++attempts >= AUDITD_RETRIES) {
- audit_log_lost("audit_pid=%d reset");
+ char s[32];
+
+ sprintf(s, "audit_pid=%d reset", audit_pid);
+ audit_log_lost(s);
Granted 32 bytes should be big enough for the string, but I would feel better
if we used snprintf() here; make the change and I'll merge the patch with the
original and push it back to linux-audit#next.
Normally I'm not a big fan of amending patches after they have been committed,
but in this case it is in the next branch (doing this for upstream or stable-X
is a big "no") and nothing sits on top of it.
audit_pid = 0;
audit_sock = NULL;
} else {
--
paul moore
security @ redhat
4:52 p.m.
On 15/09/18, Paul Moore wrote:
On Friday, September 18, 2015 03:52:43 AM Richard Guy Briggs wrote:
> A bug was introduced by "audit: try harder to send to auditd upon
> netlink failure", caused by incomplete code and a function that expects
> a string and does not accept a format plus arguments. Create a
> temporary string variable to assemble the output text. It could be
> merged as a fixup if it is not yet upstream.
Ungh, that's embarrassing; I really should have caught that in review. Sigh.
At least it shouldn't cause anything to blow up, just a less than helpful
message.
Yup, just useless noise.
I pulled the original patch from linux-audit#next just now, I'll
re-add it
once we sort this out.
Ok...
Comments below ...
Likewise...
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> kernel/audit.c | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 18cdfe2..60913e6 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -420,7 +420,10 @@ restart:
> if (audit_pid) {
> if (err == -ECONNREFUSED || err == -EPERM
>
> || ++attempts >= AUDITD_RETRIES) {
>
> - audit_log_lost("audit_pid=%d reset");
> + char s[32];
> +
> + sprintf(s, "audit_pid=%d reset", audit_pid);
> + audit_log_lost(s);
Granted 32 bytes should be big enough for the string, but I would feel better
if we used snprintf() here; make the change and I'll merge the patch with the
original and push it back to linux-audit#next.
Done...
Normally I'm not a big fan of amending patches after they have
been committed,
but in this case it is in the next branch (doing this for upstream or stable-X
is a big "no") and nothing sits on top of it.
That's the only reason I suggested it...
> audit_pid = 0;
> audit_sock = NULL;
> } else {
paul moore
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
3381
days inactive
3382
days old
linux-audit@lists.linux-audit.osci.io
4 comments
3 participants
participants (3)
-
Paul Moore -
Richard Guy Briggs -
Steve Grubb