auditd(8) assumes that read(2)s of /dev/audit are interruptible by signals. It relies on these reads being interrupted by SIGCHLD, SIGTERM, and SIGHUP. However, reads of this device aren't actually interruptible. I don't know why, because audit_read _looks_ like it's doing the right thing. Symptoms: 1) Sending SIGTERM to auditd doesn't kill it right away; you might send SIGTERM and then send a trigger with auditon(2). 2) Same with SIGHUP 3) Zombie child processes don't get reaped until auditd receives a trigger sent by auditon. This includes children created by expiring audit trails at auditd startup.
Experimentally, TERM and HUP interrupt reads from /dev/audit, but not SIGCHLD: $ sudo cat /dev/audit >/dev/null & $ sudo pkill -HUP cat etc.
I figured it out. The signal handler code is helpfully restarting the syscall for me. read(2) is actually returning to userland, but not to the stack from whence I called it. I need to use sigaction without SA_RESTART or siginterrupt to fix it. As is, auditd is using plain signal(), which automatically includes SA_RESTART.
Upstream bug: https://github.com/openbsm/openbsm/issues/34
A commit references this bug: Author: asomers Date: Tue Jul 3 17:37:17 UTC 2018 New revision: 335899 URL: https://svnweb.freebsd.org/changeset/base/335899 Log: auditd(8): register signal handlers interrutibly auditd_wait_for_events() relies on read(2) being interrupted by signals, but it registers signal handlers with signal(3), which sets SA_RESTART. That breaks asynchronous signal handling. It means that signals don't actually get handled until after an audit(8) trigger is received. Symptoms include: * Sending SIGTERM to auditd doesn't kill it right away; you must send SIGTERM and then send a trigger with auditon(2). * Same with SIGHUP * Zombie child processes don't get reaped until auditd receives a trigger sent by auditon. This includes children created by expiring audit trails at auditd startup. Fix by using sigaction(2) instead of signal(3). Cherry pick https://github.com/openbsm/openbsm/commit/d060887 PR: 229381 Reviewed by: cem Obtained from: OpenBSM MFC after: 2 weeks Differential Revision: https://github.com/openbsm/openbsm/pull/36 Changes: head/contrib/openbsm/bin/auditd/auditd.c
*** Bug 229580 has been marked as a duplicate of this bug. ***
Hello, Is this commit going to be backported to 11-STABLE? I'm still dealing with this on my system. :) Thanks
Yes, I'll merge it to stable/11.
A commit references this bug: Author: asomers Date: Fri Aug 3 14:03:51 UTC 2018 New revision: 337241 URL: https://svnweb.freebsd.org/changeset/base/337241 Log: MFC r335899: auditd(8): register signal handlers interrutibly auditd_wait_for_events() relies on read(2) being interrupted by signals, but it registers signal handlers with signal(3), which sets SA_RESTART. That breaks asynchronous signal handling. It means that signals don't actually get handled until after an audit(8) trigger is received. Symptoms include: * Sending SIGTERM to auditd doesn't kill it right away; you must send SIGTERM and then send a trigger with auditon(2). * Same with SIGHUP * Zombie child processes don't get reaped until auditd receives a trigger sent by auditon. This includes children created by expiring audit trails at auditd startup. Fix by using sigaction(2) instead of signal(3). Cherry pick https://github.com/openbsm/openbsm/commit/d060887 PR: 229381 Reviewed by: cem Obtained from: OpenBSM Differential Revision: https://github.com/openbsm/openbsm/pull/36 Changes: _U stable/11/ stable/11/contrib/openbsm/bin/auditd/auditd.c
A commit references this bug: Author: asomers Date: Fri Aug 3 14:37:23 UTC 2018 New revision: 337257 URL: https://svnweb.freebsd.org/changeset/base/337257 Log: MFC r335899: auditd(8): register signal handlers interrutibly auditd_wait_for_events() relies on read(2) being interrupted by signals, but it registers signal handlers with signal(3), which sets SA_RESTART. That breaks asynchronous signal handling. It means that signals don't actually get handled until after an audit(8) trigger is received. Symptoms include: * Sending SIGTERM to auditd doesn't kill it right away; you must send SIGTERM and then send a trigger with auditon(2). * Same with SIGHUP * Zombie child processes don't get reaped until auditd receives a trigger sent by auditon. This includes children created by expiring audit trails at auditd startup. Fix by using sigaction(2) instead of signal(3). Cherry pick https://github.com/openbsm/openbsm/commit/d060887 PR: 229381 Reviewed by: cem Obtained from: OpenBSM Differential Revision: https://github.com/openbsm/openbsm/pull/36 Changes: _U stable/10/ stable/10/contrib/openbsm/bin/auditd/auditd.c