audit: Allow auditd to set pid to 0 to end auditing

The API to end auditing has historically been for auditd to set the pid to 0. This patch restores that functionality. See: https://github.com/linux-audit/audit-kernel/issues/69 Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Steve Grubb <sgrubb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Steve Grubb <sgrubb@redhat.com> 2017-10-17 18:29:22 -0400
committer: Paul Moore <paul@paul-moore.com> 2017-11-10 16:08:36 -0500
commit: 33e8a907804428109ce1d12301c3365d619cc4df (patch)
tree: 071112d019bfaa1efc3e668e47af42f6079fc870
parent: 6e66ec3cae02952fcfc285cb156c11dcc61f4453 (diff)
1 files changed, 16 insertions, 13 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index 67b3863261d4..64e1d0ec19de 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1197,25 +1197,28 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                        pid_t auditd_pid;
                        struct pid *req_pid = task_tgid(current);
-                        /* sanity check - PID values must match */
+                        /* Sanity check - PID values must match. Setting
-                        if (new_pid != pid_vnr(req_pid))
+                         * pid to 0 is how auditd ends auditing. */
+                        if (new_pid && (new_pid != pid_vnr(req_pid)))
                                return -EINVAL;
                        /* test the auditd connection */
                        audit_replace(req_pid);
                        auditd_pid = auditd_pid_vnr();
-                        /* only the current auditd can unregister itself */
+                        if (auditd_pid) {
-                        if ((!new_pid) && (new_pid != auditd_pid)) {
+                                /* replacing a healthy auditd is not allowed */
-                                audit_log_config_change("audit_pid", new_pid,
+                                if (new_pid) {
-                                                        auditd_pid, 0);
+                                        audit_log_config_change("audit_pid",
-                                return -EACCES;
+                                                        new_pid, auditd_pid, 0);
-                        }
+                                        return -EEXIST;
-                        /* replacing a healthy auditd is not allowed */
+                                }
-                        if (auditd_pid && new_pid) {
+                                /* only current auditd can unregister itself */
-                                audit_log_config_change("audit_pid", new_pid,
+                                if (pid_vnr(req_pid) != auditd_pid) {
-                                                        auditd_pid, 0);
+                                        audit_log_config_change("audit_pid",
-                                return -EEXIST;
+                                                        new_pid, auditd_pid, 0);
+                                        return -EACCES;
+                                }
                        }
                        if (new_pid) {
author	Steve Grubb <sgrubb@redhat.com>	2017-10-17 18:29:22 -0400
committer	Paul Moore <paul@paul-moore.com>	2017-11-10 16:08:36 -0500
commit	33e8a907804428109ce1d12301c3365d619cc4df (patch)
tree	071112d019bfaa1efc3e668e47af42f6079fc870
parent	6e66ec3cae02952fcfc285cb156c11dcc61f4453 (diff)

diff --git a/kernel/audit.c b/kernel/audit.c index 67b3863261d4..64e1d0ec19de 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -1197,25 +1197,28 @@ static int audit_receive_msg(struct sk_buff skb, struct nlmsghdr nlh)
1197	pid_t auditd_pid;	1197	pid_t auditd_pid;
1198	struct pid *req_pid = task_tgid(current);	1198	struct pid *req_pid = task_tgid(current);
1199		1199
1200	/* sanity check - PID values must match */	1200	/* Sanity check - PID values must match. Setting
1201	if (new_pid != pid_vnr(req_pid))	1201	* pid to 0 is how auditd ends auditing. */
		1202	if (new_pid && (new_pid != pid_vnr(req_pid)))
1202	return -EINVAL;	1203	return -EINVAL;
1203		1204
1204	/* test the auditd connection */	1205	/* test the auditd connection */
1205	audit_replace(req_pid);	1206	audit_replace(req_pid);
1206		1207
1207	auditd_pid = auditd_pid_vnr();	1208	auditd_pid = auditd_pid_vnr();
1208	/* only the current auditd can unregister itself */	1209	if (auditd_pid) {
1209	if ((!new_pid) && (new_pid != auditd_pid)) {	1210	/* replacing a healthy auditd is not allowed */
1210	audit_log_config_change("audit_pid", new_pid,	1211	if (new_pid) {
1211	auditd_pid, 0);	1212	audit_log_config_change("audit_pid",
1212	return -EACCES;	1213	new_pid, auditd_pid, 0);
1213	}	1214	return -EEXIST;
1214	/* replacing a healthy auditd is not allowed */	1215	}
1215	if (auditd_pid && new_pid) {	1216	/* only current auditd can unregister itself */
1216	audit_log_config_change("audit_pid", new_pid,	1217	if (pid_vnr(req_pid) != auditd_pid) {
1217	auditd_pid, 0);	1218	audit_log_config_change("audit_pid",
1218	return -EEXIST;	1219	new_pid, auditd_pid, 0);
		1220	return -EACCES;
		1221	}
1219	}	1222	}
1220		1223
1221	if (new_pid) {	1224	if (new_pid) {