Date: Fri, 29 Sep 2006 11:31:00 -0400 From: Eric Paris <eparis@redhat.com> Subject: [RHEL5 PATCH] Allow audit filtering by ppid, BZ 206425 This is BZ 206425 Currently ppid filtering on syscall auditing does not appear to work. An easy reproducer is as follows: touch ./test auditctl -a entry,always -S chmod -F ppid=[pid of your shell] chmod 000 ./test no audit record. (and !=[pid of your shell] will show all chmod commands from all processes regardless of the ppid) With a little instrumentation I found that ctx->ppid == 0 inside audit_filter_rules() because it had never been set (and is only set in audit_log_exit.) With input from aviro upstream we decided to set the ppid on the audit context lazily thus minimizing overhead. The below patch will set the ppid only if we need to check the context against a ppid filter or if we are about to write out an audit entry and need to know the ppid. This has been posted upstream and I expect it to make 2.6.19. -Eric diff --git a/kernel/auditsc.c b/kernel/auditsc.c index fb83c5c..fd77ce4 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -278,8 +278,11 @@ static int audit_filter_rules(struct tas result = audit_comparator(tsk->pid, f->op, f->val); break; case AUDIT_PPID: - if (ctx) + if (ctx) { + if (!ctx->ppid) + ctx->ppid = sys_getppid(); result = audit_comparator(ctx->ppid, f->op, f->val); + } break; case AUDIT_UID: result = audit_comparator(tsk->uid, f->op, f->val); @@ -795,7 +798,8 @@ static void audit_log_exit(struct audit_ /* tsk == current */ context->pid = tsk->pid; - context->ppid = sys_getppid(); /* sic. tsk == current in all cases */ + if (!context->ppid) + context->ppid = sys_getppid(); context->uid = tsk->uid; context->gid = tsk->gid; context->euid = tsk->euid; @@ -1132,6 +1136,7 @@ #endif context->ctime = CURRENT_TIME; context->in_syscall = 1; context->auditable = !!(state == AUDIT_RECORD_CONTEXT); + context->ppid = 0; } /**