auditd(8) doesn't register its signals interruptibly #34
Comments
asomers
added a commit
to asomers/openbsm
that referenced
this issue
Jun 28, 2018
auditd_wait_for_events() relies on read(2) being interrupted by signals, but it registers signal handlers with signal(3), which sets SA_RESTART. That breaks asynchronous signal handling. It means that signals don't actually get handled until after an audit(8) trigger is received. Symptoms include: * Sending SIGTERM to auditd doesn't kill it right away; you must send SIGTERM and then send a trigger with auditon(2). * Same with SIGHUP * Zombie child processes don't get reaped until auditd receives a trigger sent by auditon. This includes children created by expiring audit trails at auditd startup. Fix by using sigaction(2) instead of signal(3). Fixes openbsm#34
asomers
added a commit
to asomers/openbsm
that referenced
this issue
Jun 28, 2018
auditd_wait_for_events() relies on read(2) being interrupted by signals, but it registers signal handlers with signal(3), which sets SA_RESTART. That breaks asynchronous signal handling. It means that signals don't actually get handled until after an audit(8) trigger is received. Symptoms include: * Sending SIGTERM to auditd doesn't kill it right away; you must send SIGTERM and then send a trigger with auditon(2). * Same with SIGHUP * Zombie child processes don't get reaped until auditd receives a trigger sent by auditon. This includes children created by expiring audit trails at auditd startup. Fix by using sigaction(2) instead of signal(3). Fixes openbsm#34
cemeyer
pushed a commit
that referenced
this issue
Jul 3, 2018
auditd_wait_for_events() relies on read(2) being interrupted by signals, but it registers signal handlers with signal(3), which sets SA_RESTART. That breaks asynchronous signal handling. It means that signals don't actually get handled until after an audit(8) trigger is received. Symptoms include: * Sending SIGTERM to auditd doesn't kill it right away; you must send SIGTERM and then send a trigger with auditon(2). * Same with SIGHUP * Zombie child processes don't get reaped until auditd receives a trigger sent by auditon. This includes children created by expiring audit trails at auditd startup. Fix by using sigaction(2) instead of signal(3). Fixes #34
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
auditd(8) assumes that read(2)s of /dev/audit are interruptible by signals. It relies on these reads being interrupted by SIGCHLD, SIGTERM, and SIGHUP. However, reads of this device aren't actually interruptible, because the signal handlers are registered with
signal(3), which is a wrapper aroundsigactionwithSA_RESTART.Symptoms:
Downstream bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229381
The text was updated successfully, but these errors were encountered: