Commit 935c9e7f authored by Richard Guy Briggs's avatar Richard Guy Briggs Committed by Paul Moore

audit: log failed attempts to change audit_pid configuration

Failed attempts to change the audit_pid configuration are not presently
logged.  One case is an attempt to starve an old auditd by starting up
a new auditd when the old one is still alive and active.  The other
case is an attempt to orphan a new auditd when an old auditd shuts
down.

Log both as AUDIT_CONFIG_CHANGE messages with failure result.
Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
parent 133e1e5a
...@@ -882,11 +882,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) ...@@ -882,11 +882,15 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
int new_pid = s.pid; int new_pid = s.pid;
pid_t requesting_pid = task_tgid_vnr(current); pid_t requesting_pid = task_tgid_vnr(current);
if ((!new_pid) && (requesting_pid != audit_pid)) if ((!new_pid) && (requesting_pid != audit_pid)) {
audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
return -EACCES; return -EACCES;
}
if (audit_pid && new_pid && if (audit_pid && new_pid &&
audit_replace(requesting_pid) != -ECONNREFUSED) audit_replace(requesting_pid) != -ECONNREFUSED) {
audit_log_config_change("audit_pid", new_pid, audit_pid, 0);
return -EEXIST; return -EEXIST;
}
if (audit_enabled != AUDIT_OFF) if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1); audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid; audit_pid = new_pid;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment