[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit_backlog_limit messages



On Thu, 2005-06-30 at 07:01 -0400, Steve Grubb wrote:
> Just a guess. Its using ctx->pid. Maybe tsk->pid is better? 

I had another look through but I couldn't see anywhere where this should
actually matter, and we do use tsk->pid wherever it's available.

> I would suggest 2 changes, though. The first is to plug the hole so
> that auditd doesn't get audited. 

Well yes, if I could see it :)

> The other step is to inspect the pid when adding to the backlog wait 
> queue to make sure auditd doesn't get added to it. This way if there is 
> another sneak path, auditd won't get added to wait queue.

That's a bandaid which I've implemented for now in order to find the
offending code, but which probably shouldn't be included long-term...

--- linux-2.6.9/kernel/auditsc.c~	2005-06-24 17:36:04.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c	2005-06-30 17:51:02.000000000 +0100
@@ -810,6 +810,16 @@ static void audit_log_exit(struct audit_
 	struct audit_watch_info *winfo;
 	struct hlist_node *pos;
 
+	if (context->pid == audit_pid) {
+		static int argh = 10;
+		if (argh) {
+			argh--;
+			printk(KERN_ERR "Eep. Trying to audit auditd.");
+			WARN_ON(1);
+		}
+		else return;
+		/* Let it continue anyway the first ten times, so we see why it was getting audited */
+	}
 	ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL);
 	if (!ab)
 		return;		/* audit_panic has been called */


-- 
dwmw2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]