listening to /dev/audit in a pthread program
Paul Moore
paul.moore at hp.com
Fri Apr 20 22:45:27 UTC 2007
On Friday, April 20 2007 6:35:34 pm paul moore wrote:
> I have an test app that quite happily does an audit_set_pid and then sits
> there reading /dev/audit.
>
> It works fine if its in the lead thread. But when I run the same code in my
> real app it runs in a different thread. No matter what PID I pass to the
> audit subsystem it complains that nobody is listening
>
> I did audit_set_pid(....getpid...) - no (passes the pid of the manager
> thread)
> I did audit_set_pid(....gettid...) - no (passes the pid of the LWP)
>
> (I dont really mean I did gettid - I did syscall(_NR_gettid))
>
> I can see in the complaint message that I have given it the pid I intended
> to.
> I can see in gdb that my LWP id is the same as the one I send to the audit
> subsystem - ie gettid worked.
>
> Is this a known issue?
A little more information would be helpful, such as distribution (I'm guessing
SuSE?), kernel version, audit userspace version, etc.
-Paul "The Other One" Moore
--
paul moore
linux security @ hp
More information about the Linux-audit
mailing list