git.kernel.dk Git - linux-2.6-block.git/commit

author	Richard Guy Briggs <rgb@redhat.com>
	Fri, 21 Jun 2013 18:47:13 +0000 (14:47 -0400)
committer	Eric Paris <eparis@redhat.com>
	Tue, 14 Jan 2014 03:31:27 +0000 (22:31 -0500)
commit	34eab0a7cd45ce0eab744a86a85d83aa7ddf99a5
tree	43ddd9b7dc7ae2e864bf591e5707381f8c7b4075	tree \| snapshot
parent	ce0d9f04699706843e8a494d12cf6c7663d478c7	commit \| diff

audit: prevent an older auditd shutdown from orphaning a newer auditd startup

There have been reports of auditd restarts resulting in kaudit not being able
to find a newly registered auditd.  It results in reports such as:
kernel: [ 2077.233573] audit: *NO* daemon at audit_pid=1614
kernel: [ 2077.234712] audit: audit_lost=97 audit_rate_limit=0 audit_backlog_limit=320
kernel: [ 2077.234718] audit: auditd disappeared
(previously mis-spelled "dissapeared")

One possible cause is a race between the shutdown of an older auditd and a
newer one.  If the newer one sets the daemon pid to itself in kauditd before
the older one has cleared the daemon pid, the newer daemon pid will be erased.
This could be caused by an automated system, or by manual intervention, but in
either case, there is no use in having the older daemon clear the daemon pid
reference since its old pid is no longer being referenced.  This patch will
prevent that specific case, returning an error of EACCES.

The case for preventing a newer auditd from registering itself if there is an
existing auditd is a more difficult case that is beyond the scope of this
patch.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>