Unregister PID from kernel on client close

If SetPID was used then unregister our PID for a clean exit.

Author: andrewkroh

CHANGELOG.md

@@ -7,6 +7,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 ### Added
 
 - Added WaitForPendingACKs to receive pending ACK messages from the kernel. #14
+- The AuditClient will unregister with the kernel if `SetPID` has been called. #19
 
 ### Changed
 

audit.go

@@ -75,8 +75,9 @@ const (
 // AuditClient is a client for communicating with the Linux kernels audit
 // interface over netlink.
 type AuditClient struct {
-	Netlink     NetlinkSendReceiver
-	pendingAcks []uint32
+	Netlink         NetlinkSendReceiver
+	pendingAcks     []uint32
+	clearPIDOnClose bool
 }
 
 // NewMulticastAuditClient creates a new AuditClient that binds to the multicast
@@ -292,6 +293,7 @@ func (c *AuditClient) SetPID(wm WaitMode) error {
 		Mask: AuditStatusPID,
 		PID:  uint32(os.Getpid()),
 	}
+	c.clearPIDOnClose = true
 	return c.set(status, wm)
 }
 
@@ -370,6 +372,13 @@ func (c *AuditClient) Receive(nonBlocking bool) (*RawAuditMessage, error) {
 
 // Close closes the AuditClient and frees any associated resources.
 func (c *AuditClient) Close() error {
+	// Unregister from the kernel for a clean exit.
+	status := AuditStatus{
+		Mask: AuditStatusPID,
+		PID:  0,
+	}
+	c.set(status, NoWait)
+
 	return c.Netlink.Close()
 }
 

audit_test.go

@@ -17,6 +17,7 @@
 package libaudit
 
 import (
+	"encoding/base64"
 	"encoding/hex"
 	"flag"
 	"fmt"
@@ -26,8 +27,7 @@ import (
 	"testing"
 	"time"
 
-	"encoding/base64"
-
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -483,12 +483,13 @@ func TestAuditClientReceive(t *testing.T) {
 	// Depending on the kernel version, it will reply with an AUDIT_REPLACE (1329)
 	// message, followed by an AUDIT_CONFIG_CHANGE (1305) message, followed
 	// by an ACK. Older kernels seem to not send the AUDIT_CONFIG_CHANGE message.
-	err = client.SetPID(NoWait)
-	if err != nil {
+	if err = client.SetPID(WaitForReply); err == nil {
 		t.Fatal("set pid failed:", err)
+	} else if errors.Cause(err) != syscall.EEXIST {
+		t.Fatal("expected second SetPID call to result in EEXISTS but got", err)
 	}
 
-	// Expect at least 2 messages caused by our previous call.
+	// Expect at least 1 message caused by our previous call (CONFIG_CHANGE).
 	var msgCount int
 	for i := 0; i < 10; i++ {
 		msg, err := client.Receive(true)
@@ -502,7 +503,7 @@ func TestAuditClientReceive(t *testing.T) {
 			msgCount++
 		}
 	}
-	assert.True(t, msgCount >= 2, "expected at least two messages")
+	assert.True(t, msgCount >= 1, "expected at least one messages")
 }
 
 func TestAuditStatusMask(t *testing.T) {