Eric Paris wrote: > So I noticed today something strange, but maybe not wrong? > > lets say userspace starts 2 copies of auditd.
Will a second auditd actually start? Seems like it shouldn't. > Then they kill the first > copy. The kernel at that point thinks there is no userspace auditd > running and will instead send things to dmesg > > We could fix it by changing the handling in audit_receive_msg to reject > setting the audit_pid to 0 if the current audit_nlk_pid != > NETLINK_CB(skb).pid. > > It's not a big deal, maybe we just call results of audit with multiple > userspace auditd's running at the same time a undefined and not care. I think its something to be avoided. Can the 2nd auditd exit if there already is one? -- ljk > > Anyone think that's worth a patch? > > -Eric > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
