Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751968AbbLUWgt (ORCPT ); Mon, 21 Dec 2015 17:36:49 -0500 Received: from mx1.redhat.com ([209.132.183.28]:41011 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751201AbbLUWgs (ORCPT ); Mon, 21 Dec 2015 17:36:48 -0500 From: Paul Moore To: Steve Grubb Cc: Richard Guy Briggs , linux-audit@redhat.com, linux-kernel@vger.kernel.org, eparis@redhat.com, v.rathor@gmail.com, ctcard@hotmail.com Subject: Re: [PATCH V2 1/2] audit: stop an old auditd being starved out by a new auditd Date: Mon, 21 Dec 2015 17:36:46 -0500 Message-ID: <3244624.KajibWDVmd@sifl> Organization: Red Hat User-Agent: KMail/4.14.10 (Linux/4.2.6-gentoo; KDE/4.14.14; x86_64; ; ) In-Reply-To: <3132444.Y0z3o3Cmva@x2> References: <735d85abf2484b740fd3aa551cdffde67f9bd637.1450268948.git.rgb@redhat.com> <1831194.c6xgxYyxjn@sifl> <3132444.Y0z3o3Cmva@x2> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3085 Lines: 69 On Monday, December 21, 2015 05:18:15 PM Steve Grubb wrote: > On Monday, December 21, 2015 04:48:00 PM Paul Moore wrote: > > On Wednesday, December 16, 2015 11:23:19 AM Steve Grubb wrote: > > > On Wednesday, December 16, 2015 10:42:32 AM Richard Guy Briggs wrote: > > > > Nothing prevents a new auditd starting up and replacing a valid > > > > audit_pid when an old auditd is still running, effectively starving > > > > out the old auditd since audit_pid no longer points to the old valid > > > > auditd. > > > > > > I guess the first question is why do we allow something to start up a > > > new auditd without killing off the old one? Would that be a simpler > > > fix? > > > > I imagine there might be scenarios where you need to forcibly kill an > > instance of auditd such that things might not get fully cleaned up in the > > kernel, audit_{pid,sock,etc.}. > > But the first time an event is sent and auditd doesn't exist, it resets the > audit_pid to 0. > > static void kauditd_send_skb(struct sk_buff *skb) > { > int err; > /* take a reference in case we can't send it and we want... > skb_get(skb); > err = netlink_unicast(audit_sock, skb, audit_nlk_portid, 0); > if (err < 0) { > BUG_ON(err != -ECONNREFUSED); /* Shouldn't happen */ > if (audit_pid) { > pr_err("*NO* daemon at audit_pid=%d\n", audit_pid); > audit_log_lost("auditd disappeared"); > audit_pid = 0; > audit_sock = NULL; > } As an aside, it doesn't matter in this particular case, but the above code is not current. Please try to use either what is in Linus' tree or audit#next when pasting code snippets; it's less confusing. I still think there is some value in having the ability for an admin to reset the kernel's auditd tracking manually as relying on an event to be emitted does not seem like a solution I would want to have to justify. Although I do admit that for most systems this shouldn't be a problem as events should likely occur often enough. There really is no harm in merging these patches, and they do provide some, admittedly small, value. > > Keeping the ability to reset the kernel's auditd state, even when the > > kernel *thinks* auditd is still alive might be a nice thing to keep > > around for a while longer. > > I'm just thinking its rare that anyone would try to steal away the audit > socket. Its more work for everyone to create a new event and send it than to > just not allow it. you can even force an event with "auditctl -m test" > which should reset the pid if the kernel was out of sync. I do not want to disallow starting an new instance of auditd, so this patchset looks reasonable to me. -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/