elf: Do not signal LA_ACT_CONSISTENT for an empty namespace [BZ #26076]

The auditing interface identifies namespaces by their first loaded
module.  Once the namespace is empty, it is no longer possible to signal
LA_ACT_CONSISTENT for it because the first loaded module is already gone
at that point.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>

diff --git a/elf/dl-close.c b/elf/dl-close.c
index 73b2817bbf6059fe6dd171d803d068c1497fb86b..8e146ecee1d357ab74492a0f0c9f1810e330ed5d 100644 (file)
--- a/elf/dl-close.c
+++ b/elf/dl-close.c
@@ -781,8 +781,14 @@ _dl_close_worker (struct link_map *map, bool force)
   if (__glibc_unlikely (do_audit))
     {
       struct link_map *head = ns->_ns_loaded;
-      /* Do not call the functions for any auditing object.  */
-      if (head->l_auditing == 0)
+      /* If head is NULL, the namespace has become empty, and the
+        audit interface does not give us a way to signal
+        LA_ACT_CONSISTENT for it because the first loaded module is
+        used to identify the namespace.
+
+        Furthermore, do not notify auditors of the cleanup of a
+        failed audit module loading attempt.  */
+      if (head != NULL && head->l_auditing == 0)
        {
          struct audit_ifaces *afct = GLRO(dl_audit);
          for (unsigned int cnt = 0; cnt < GLRO(dl_naudit); ++cnt)