Closed pcmoore closed 7 years ago
So essentially, we don't care, OR we can fix it since it isn't used by the audit suite yet (but may be used by other tools using the audit unicast socket).
Upstream RFC patch: https://www.redhat.com/archives/linux-audit/2017-March/msg00118.html
Resolved in the following commit:
commit 68580cc767c85b8af29c183e500a38191146f4d3
Author: Paul Moore <paul@paul-moore.com>
Date: Tue Apr 11 15:38:22 2017 -0400
audit: kernel generated netlink traffic should have a portid of 0
We were setting the portid incorrectly in the netlink message headers,
fix that to always be 0 (nlmsg_pid = 0).
Signed-off-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
The nlmsghdr->nlmsg_pid represents the sending task's Netlink port ID, which in the case of the kernel is 0 (zero). Historically the kernel audit subsystem has used a variety of different values, depending on the call site. Thankfully the audit userspace does not appear to check the port ID set in the Netlink message header as @rgbriggs states: