Currently ppid filtering on syscall auditing does not appear to work. An
easy reproducer would be to do the following:
touch ./test
auditctl -a entry,always -S chmod -F ppid=[pid of your shell]
chmod 000 ./test
no audit record will appear! (although !=[pid of your shell] will show
all chmod commands from all processes regardless of the ppid)
With a little instrumentation I found that ctx->ppid == 0 inside
audit_filter_rules(). I originally wanted to set the ppid during the
context creation back in something like audit_alloc_context but that
didn't work. Because at that point the new process had not forked off
so the ppid of the chmod process was actually it's parents parents.
Instead I set the ppid in audit_syscall_entry when we are actually
building the specific context.
Please comment/ack/nak as soon as possible.
-Eric
kernel/auditsc.c | 1 +
1 file changed, 1 insertion(+)
--- linux-2.6.18.i686/kernel/auditsc.c.orig 2006-09-27 21:53:44.000000000
-0400
+++ linux-2.6.18.i686/kernel/auditsc.c 2006-09-27 21:54:05.000000000 -0400
@@ -1116,6 +1116,7 @@ void audit_syscall_entry(int arch, int m
context->arch = arch;
context->major = major;
+ context->ppid = sys_getppid();
context->argv[0] = a1;
context->argv[1] = a2;
context->argv[2] = a3;
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
