Date: Fri, 29 Sep 2006 11:31:00 -0400
From: Eric Paris <eparis@redhat.com>
Subject: [RHEL5 PATCH] Allow audit filtering by ppid, BZ 206425

This is BZ 206425

Currently ppid filtering on syscall auditing does not appear to work. An
easy reproducer is as follows:

touch ./test
auditctl -a entry,always -S chmod -F ppid=[pid of your shell]
chmod 000 ./test

no audit record. (and !=[pid of your shell] will show all chmod commands
from all processes regardless of the ppid)

With a little instrumentation I found that ctx->ppid == 0 inside
audit_filter_rules() because it had never been set (and is only set in
audit_log_exit.)  With input from aviro upstream we decided to set the
ppid on the audit context lazily thus minimizing overhead.  The below
patch will set the ppid only if we need to check the context against a
ppid filter or if we are about to write out an audit entry and need to
know the ppid.  This has been posted upstream and I expect it to make
2.6.19.

-Eric

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fb83c5c..fd77ce4 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -278,8 +278,11 @@ static int audit_filter_rules(struct tas
 			result = audit_comparator(tsk->pid, f->op, f->val);
 			break;
 		case AUDIT_PPID:
-			if (ctx)
+			if (ctx) {
+				if (!ctx->ppid)
+					ctx->ppid = sys_getppid();
 				result = audit_comparator(ctx->ppid, f->op, f->val);
+			}
 			break;
 		case AUDIT_UID:
 			result = audit_comparator(tsk->uid, f->op, f->val);
@@ -795,7 +798,8 @@ static void audit_log_exit(struct audit_
 
 	/* tsk == current */
 	context->pid = tsk->pid;
-	context->ppid = sys_getppid();	/* sic.  tsk == current in all cases */
+	if (!context->ppid)
+		context->ppid = sys_getppid();
 	context->uid = tsk->uid;
 	context->gid = tsk->gid;
 	context->euid = tsk->euid;
@@ -1132,6 +1136,7 @@ #endif
 	context->ctime      = CURRENT_TIME;
 	context->in_syscall = 1;
 	context->auditable  = !!(state == AUDIT_RECORD_CONTEXT);
+	context->ppid       = 0;
 }
 
 /**