On Monday, September 07, 2015 12:58:18 PM Richard Guy Briggs wrote: > On 15/09/07, Richard Guy Briggs wrote: > > Nothing prevents a new auditd starting up and replacing a valid > > audit_pid when an old auditd is still running, effectively starving out > > the old auditd since audit_pid no longer points to the old valid auditd. > > > > There isn't an easy way to detect if an old auditd is still running on > > the existing audit_pid other than attempting to send a message to see if > > it fails. If no message to auditd has been attempted since auditd died > > unnaturally or got killed, audit_pid will still indicate it is alive. > > > > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > > Ok, self-nack on this one for a couple of problems... > netlink_getsockbyportid() is static to af_netlink.c and "pid" should be > task_tgid_vnr(current). Otherwise, any opinions on this approach? > > > --- > > Note: Would it be too bold to actually block the registration of a new > > auditd if the netlink_getsockbyportid() call succeeded? Would other > > checks be appropriate?
Hmm. It seems like we should prevent the registration of a new auditd if we already have an auditd instance connected, although as you say, that isn't the easiest thing to do. How painful would it be to return -EAGAIN to the new auditd while sending some sort of keep-alive/ping/etc. message to the old daemon to check its status? -- paul moore security @ redhat -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
