BUG: netlink messages sent from the kernel should set nlmsghdr->nlmsg_pid to zero

[pcmoore]

The nlmsghdr->nlmsg_pid represents the sending task's Netlink port ID, which in the case of the kernel is 0 (zero). Historically the kernel audit subsystem has used a variety of different values, depending on the call site. Thankfully the audit userspace does not appear to check the port ID set in the Netlink message header as @rgbriggs states:

Ok, after digging through audit_get_reply() and adjust_reply(), I see that you are checking the sockaddr_nl member nl_pid which is set by netlink, and not checking the struct nlmsghdr member nlmsg_pid at all, that was set by kaudit, the latter of which I was asking about, so this value is ignored and it doesn't matter. You are using the nlmsghdr members nlmsg_type, nlmsg_len, nlmsg_seq, nlmsg_flags, but not nlmsg_pid.

[rgbriggs]

So essentially, we don't care, OR we can fix it since it isn't used by the audit suite yet (but may be used by other tools using the audit unicast socket).

[pcmoore]

Upstream RFC patch: https://www.redhat.com/archives/linux-audit/2017-March/msg00118.html

[pcmoore]

Resolved in the following commit:

commit 68580cc767c85b8af29c183e500a38191146f4d3                                 
Author: Paul Moore <paul@paul-moore.com>                                        
Date:   Tue Apr 11 15:38:22 2017 -0400                                          

audit: kernel generated netlink traffic should have a portid of 0           

We were setting the portid incorrectly in the netlink message headers,      
fix that to always be 0 (nlmsg_pid = 0).                                    

Signed-off-by: Paul Moore <paul@paul-moore.com>                             
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>