path: root/kernel/audit.c
diff options
authorRichard Guy Briggs <>2013-06-21 14:47:13 -0400
committerEric Paris <>2014-01-13 22:31:27 -0500
commit34eab0a7cd45ce0eab744a86a85d83aa7ddf99a5 (patch)
tree43ddd9b7dc7ae2e864bf591e5707381f8c7b4075 /kernel/audit.c
parentce0d9f04699706843e8a494d12cf6c7663d478c7 (diff)
audit: prevent an older auditd shutdown from orphaning a newer auditd startup
There have been reports of auditd restarts resulting in kaudit not being able to find a newly registered auditd. It results in reports such as: kernel: [ 2077.233573] audit: *NO* daemon at audit_pid=1614 kernel: [ 2077.234712] audit: audit_lost=97 audit_rate_limit=0 audit_backlog_limit=320 kernel: [ 2077.234718] audit: auditd disappeared (previously mis-spelled "dissapeared") One possible cause is a race between the shutdown of an older auditd and a newer one. If the newer one sets the daemon pid to itself in kauditd before the older one has cleared the daemon pid, the newer daemon pid will be erased. This could be caused by an automated system, or by manual intervention, but in either case, there is no use in having the older daemon clear the daemon pid reference since its old pid is no longer being referenced. This patch will prevent that specific case, returning an error of EACCES. The case for preventing a newer auditd from registering itself if there is an existing auditd is a more difficult case that is beyond the scope of this patch. Signed-off-by: Richard Guy Briggs <> Signed-off-by: Eric Paris <>
Diffstat (limited to 'kernel/audit.c')
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/audit.c b/kernel/audit.c
index c460f33c2801..f207289d686b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -815,6 +815,8 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (s.mask & AUDIT_STATUS_PID) {
int new_pid =;
+ if ((!new_pid) && (task_tgid_vnr(current) != audit_pid))
+ return -EACCES;
if (audit_enabled != AUDIT_OFF)
audit_log_config_change("audit_pid", new_pid, audit_pid, 1);
audit_pid = new_pid;