On 2017-10-13 19:53, Steve Grubb wrote: > The API to end auditing has historically been for auditd to set the > pid to 0. This patch restores that functionality.
Please include the issue number: See: https://github.com/linux-audit/audit-kernel/issues/69 > Signed-off-by: sgrubb <[email protected]> Reviewed-by: Richard Guy Briggs <[email protected]> > --- > kernel/audit.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 6dd556931739..1baabc9539b4 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -1197,8 +1197,9 @@ static int audit_receive_msg(struct sk_buff *skb, > struct nlmsghdr *nlh) > pid_t auditd_pid; > struct pid *req_pid = task_tgid(current); > > - /* sanity check - PID values must match */ > - if (new_pid != pid_vnr(req_pid)) > + /* Sanity check - PID values must match. A 0 > + * pid is how auditd normally ends auditing. */ > + if (new_pid && (new_pid != pid_vnr(req_pid))) > return -EINVAL; > > /* test the auditd connection */ > @@ -1206,7 +1207,7 @@ static int audit_receive_msg(struct sk_buff *skb, > struct nlmsghdr *nlh) > > auditd_pid = auditd_pid_vnr(); > /* only the current auditd can unregister itself */ > - if ((!new_pid) && (new_pid != auditd_pid)) { > + if (new_pid && auditd_pid && (new_pid != auditd_pid)) { > audit_log_config_change("audit_pid", new_pid, > auditd_pid, 0); > return -EACCES; > -- > 2.13.6 > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
