audit: Allow auditd to set pid to 0 to end auditing

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The API to end auditing has historically been for auditd to set the
pid to 0. This patch restores that functionality.

See: https://github.com/linux-audit/audit-kernel/issues/69

Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Steve Grubb and committed by

Paul Moore 8 years ago 33e8a907 6e66ec3c

+16 -13

1 changed file

expand all

kernel

audit.c

+16 -13

kernel/audit.c

··· 1197 1197 pid_t auditd_pid; 1198 1198 struct pid *req_pid = task_tgid(current); 1199 1199 1200 - /* sanity check - PID values must match */ 1201 - if (new_pid != pid_vnr(req_pid)) 1200 + /* Sanity check - PID values must match. Setting 1201 + * pid to 0 is how auditd ends auditing. */ 1202 + if (new_pid && (new_pid != pid_vnr(req_pid))) 1202 1203 return -EINVAL; 1203 1204 1204 1205 /* test the auditd connection */ 1205 1206 audit_replace(req_pid); 1206 1207 1207 1208 auditd_pid = auditd_pid_vnr(); 1208 - /* only the current auditd can unregister itself */ 1209 - if ((!new_pid) && (new_pid != auditd_pid)) { 1210 - audit_log_config_change("audit_pid", new_pid, 1211 - auditd_pid, 0); 1212 - return -EACCES; 1213 - } 1214 - /* replacing a healthy auditd is not allowed */ 1215 - if (auditd_pid && new_pid) { 1216 - audit_log_config_change("audit_pid", new_pid, 1217 - auditd_pid, 0); 1218 - return -EEXIST; 1209 + if (auditd_pid) { 1210 + /* replacing a healthy auditd is not allowed */ 1211 + if (new_pid) { 1212 + audit_log_config_change("audit_pid", 1213 + new_pid, auditd_pid, 0); 1214 + return -EEXIST; 1215 + } 1216 + /* only current auditd can unregister itself */ 1217 + if (pid_vnr(req_pid) != auditd_pid) { 1218 + audit_log_config_change("audit_pid", 1219 + new_pid, auditd_pid, 0); 1220 + return -EACCES; 1221 + } 1219 1222 } 1220 1223 1221 1224 if (new_pid) {