linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
138 stars 36 forks source link

BUG: netlink messages sent from the kernel should set nlmsghdr->nlmsg_pid to zero #34

Closed pcmoore closed 7 years ago

pcmoore commented 7 years ago

The nlmsghdr->nlmsg_pid represents the sending task's Netlink port ID, which in the case of the kernel is 0 (zero). Historically the kernel audit subsystem has used a variety of different values, depending on the call site. Thankfully the audit userspace does not appear to check the port ID set in the Netlink message header as @rgbriggs states:

Ok, after digging through audit_get_reply() and adjust_reply(), I see that you are checking the sockaddr_nl member nl_pid which is set by netlink, and not checking the struct nlmsghdr member nlmsg_pid at all, that was set by kaudit, the latter of which I was asking about, so this value is ignored and it doesn't matter. You are using the nlmsghdr members nlmsg_type, nlmsg_len, nlmsg_seq, nlmsg_flags, but not nlmsg_pid.

rgbriggs commented 7 years ago

So essentially, we don't care, OR we can fix it since it isn't used by the audit suite yet (but may be used by other tools using the audit unicast socket).

pcmoore commented 7 years ago

Upstream RFC patch: https://www.redhat.com/archives/linux-audit/2017-March/msg00118.html

pcmoore commented 7 years ago

Resolved in the following commit:

commit 68580cc767c85b8af29c183e500a38191146f4d3                                 
Author: Paul Moore <paul@paul-moore.com>                                        
Date:   Tue Apr 11 15:38:22 2017 -0400                                          

audit: kernel generated netlink traffic should have a portid of 0           

We were setting the portid incorrectly in the netlink message headers,      
fix that to always be 0 (nlmsg_pid = 0).                                    

Signed-off-by: Paul Moore <paul@paul-moore.com>                             
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>