The API to end auditing has historically been for auditd to set the pid to 0. This patch restores that functionality.
Signed-off-by: sgrubb <[email protected]> --- kernel/audit.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 6dd556931739..1baabc9539b4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1197,8 +1197,9 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) pid_t auditd_pid; struct pid *req_pid = task_tgid(current); - /* sanity check - PID values must match */ - if (new_pid != pid_vnr(req_pid)) + /* Sanity check - PID values must match. A 0 + * pid is how auditd normally ends auditing. */ + if (new_pid && (new_pid != pid_vnr(req_pid))) return -EINVAL; /* test the auditd connection */ @@ -1206,7 +1207,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) auditd_pid = auditd_pid_vnr(); /* only the current auditd can unregister itself */ - if ((!new_pid) && (new_pid != auditd_pid)) { + if (new_pid && auditd_pid && (new_pid != auditd_pid)) { audit_log_config_change("audit_pid", new_pid, auditd_pid, 0); return -EACCES; -- 2.13.6 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
