Make all plugins ignore SIGTERM if not from auditd

stevegrubb · stevegrubb · commit 8d77c0fa1626 · 2025-06-28T07:53:41.000-04:00
diff --git a/ChangeLog b/ChangeLog
@@ -5,7 +5,7 @@
 - Add support for "exec" action in max_log_file_action in auditd
 - Refactor auparse code to be multi-thread safe
 - Add memory pool to netlink event processing to reduce memory churn
-- Make af_unix plugin ignore SIGTERM if not from auditd
+- Make all plugins ignore SIGTERM if not from auditd (issue #469)
 
 4.0.5
 - Rework audisp queue to be lockless
diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
@@ -120,9 +120,15 @@ gss_ctx_id_t my_context;
 
 /*
  * SIGTERM handler
+ *
+ * Only honor the signal if it comes from the parent process so that other
+ * tasks (cough, systemctl, cough) can't make the plugin exit without
+ * the dispatcher in agreement. Otherwise it will restart the plugin.
  */
-static void term_handler( int sig )
+static void term_handler(int sig, siginfo_t *info, void *ucontext)
 {
+	if (info && info->si_pid != getppid())
+		return;
         stop = 1;
 }
 
@@ -499,8 +505,6 @@ int main(int argc, char *argv[])
 	sa.sa_flags = 0;
 	sigemptyset(&sa.sa_mask);
 	/* Set handler for the ones we care about */
-	sa.sa_handler = term_handler;
-	sigaction(SIGTERM, &sa, NULL);
 	sa.sa_handler = hup_handler;
 	sigaction(SIGHUP, &sa, NULL);
 	sa.sa_handler = user1_handler;
@@ -509,6 +513,9 @@ int main(int argc, char *argv[])
 	sigaction(SIGUSR2, &sa, NULL);
 	sa.sa_handler = child_handler;
 	sigaction(SIGCHLD, &sa, NULL);
+	sa.sa_sigaction = term_handler;
+	sa.sa_flags = SA_SIGINFO;
+	sigaction(SIGTERM, &sa, NULL);
 	if (load_config(&config, CONFIG_FILE))
 		return 6;
 
diff --git a/audisp/plugins/syslog/audisp-syslog.c b/audisp/plugins/syslog/audisp-syslog.c
@@ -44,9 +44,15 @@ static int interpret = 0;
 
 /*
  * SIGTERM handler
+ *
+ * Only honor the signal if it comes from the parent process so that other
+ * tasks (cough, systemctl, cough) can't make the plugin exit without
+ * the dispatcher in agreement. Otherwise it will restart the plugin.
  */
-static void term_handler( int sig )
+static void term_handler(int sig, siginfo_t *info, void *ucontext)
 {
+	if (info && info->si_pid != getppid())
+		return;
         stop = 1;
 }
 
@@ -220,10 +226,11 @@ int main(int argc, const char *argv[])
 	sa.sa_flags = 0;
 	sigemptyset(&sa.sa_mask);
 	/* Set handler for the ones we care about */
-	sa.sa_handler = term_handler;
-	sigaction(SIGTERM, &sa, NULL);
 	sa.sa_handler = hup_handler;
 	sigaction(SIGHUP, &sa, NULL);
+	sa.sa_sigaction = term_handler;
+	sa.sa_flags = SA_SIGINFO;
+	sigaction(SIGTERM, &sa, NULL);
 
 #ifdef HAVE_LIBCAP_NG
 	// Drop capabilities
diff --git a/audisp/plugins/zos-remote/zos-remote-plugin.c b/audisp/plugins/zos-remote/zos-remote-plugin.c
@@ -60,12 +60,17 @@ static pthread_t submission_thread;
 pid_t mypid = 0;
 
 /*
- * SIGTERM handler 
+ * SIGTERM handler
+ *
+ * Only honor the signal if it comes from the parent process so that other
+ * tasks (cough, systemctl, cough) can't make the plugin exit without
+ * the dispatcher in agreement. Otherwise it will restart the plugin.
  */
-static void term_handler(int sig)
+static void term_handler(int sig, siginfo_t *info, void *ucontext)
 {
 	UNUSED(sig);
-        log_info("Got Termination signal - shutting down plugin");
+	if (info && info->si_pid != getppid())
+		return;
         stop = 1;
         nudge_queue();
 }
@@ -427,14 +432,15 @@ int main(int argc, char *argv[])
          */
         sa.sa_flags = 0;
         sigemptyset(&sa.sa_mask);
-        sa.sa_handler = term_handler;
-        sigaction(SIGTERM, &sa, NULL);
         sa.sa_handler = hup_handler;
         sigaction(SIGHUP, &sa, NULL);
         sa.sa_handler = alarm_handler;
         sigaction(SIGALRM, &sa, NULL);
+        sa.sa_sigaction = term_handler;
+        sa.sa_flags = SA_SIGINFO;
+        sigaction(SIGTERM, &sa, NULL);
 
-        /* 
+        /*
          * the main program accepts a single (optional) argument:
          * it's configuration file (this is NOT the plugin configuration
          * usually located at /etc/audit/plugins.d)
diff --git a/contrib/plugin/audisp-example.c b/contrib/plugin/audisp-example.c
@@ -66,9 +66,15 @@ static void handle_event(auparse_state_t *au,
 
 /*
  * SIGTERM handler
+ *
+ * Only honor the signal if it comes from the parent process so that other
+ * tasks (cough, systemctl, cough) can't make the plugin exit without
+ * the dispatcher in agreement. Otherwise it will restart the plugin.
  */
-static void term_handler(int sig)
+static void term_handler(int sig, siginfo_t *info, void *ucontext)
 {
+	if (info && info->si_pid != getppid())
+		return;
         stop = 1;
 }
 
@@ -99,10 +105,11 @@ int main(int argc, char *argv[])
 	sa.sa_flags = 0;
 	sigemptyset(&sa.sa_mask);
 	/* Set handler for the ones we care about */
-	sa.sa_handler = term_handler;
-	sigaction(SIGTERM, &sa, NULL);
 	sa.sa_handler = hup_handler;
 	sigaction(SIGHUP, &sa, NULL);
+	sa.sa_sigaction = term_handler;
+	sa.sa_flags = SA_SIGINFO;
+	sigaction(SIGTERM, &sa, NULL);
 	/* Set STDIN non-blocking */
 	fcntl(0, F_SETFL, O_NONBLOCK);
 
