mozilla
auditprint.go: Block at Receive when calling the DeleteAllRules
I'm trying to run auditprint.go on a ubuntu16.04 machine. After I ran the program, there is no output. After some print statement, I found that the program will be blocked after calling the DeleteAllRules in the main function. I followed the call hierarchy and the program is actually get block at the Receive function that get called in the auditGetReply:
if m.Header.Type == syscall.NLMSG_ERROR {
e := int32(hostEndian.Uint32(m.Data[0:4]))
if e == 0 {
// ACK response from the kernel; if chkAck is true
// we just return as there is nothing left to do
if chkAck {
break done
}
// Otherwise, keep going so we can get the response
// we want
continue
} else {
return ret, fmt.Errorf("error while recieving reply %v", e)
}
}
After receiving the first message, the program enter this loop and since the chkAck is set to false, the program continue to the next loop and get block at the receive call.
I'm trying to get this working, but don't have any clue.
@sliceoflife07 thanks for the note on this
Off hand you may want to verify you don't have another auditd or something running on the host. Aside from that we'd need to look into this more to find out what's going on.
It woks when I commented following lines (322-325, and 314-317) in the auditGetReply function:
for _, m := range msgs {
/*socketPID, err := s.GetPID() // I commented these lines
if err != nil {
return ret, err
}*/
if m.Header.Seq != seq {
// Wasn't the sequence number we are looking for, just discard it
continue
}
/*if int(m.Header.Pid) != socketPID { // I commented these lines
// PID didn't match, just discard it
continue
}*/
if m.Header.Type == syscall.NLMSG_DONE {
break done
}
/* other codes */
}
