Eric Paris wrote: > Currently ppid filtering on syscall auditing does not appear to work. An > easy reproducer would be to do the following: > > touch ./test > auditctl -a entry,always -S chmod -F ppid=[pid of your shell] > chmod 000 ./test > > no audit record will appear! (although !=[pid of your shell] will show > all chmod commands from all processes regardless of the ppid) > > With a little instrumentation I found that ctx->ppid == 0 inside > audit_filter_rules(). I originally wanted to set the ppid during the > context creation back in something like audit_alloc_context but that > didn't work. Because at that point the new process had not forked off > so the ppid of the chmod process was actually it's parents parents. > Instead I set the ppid in audit_syscall_entry when we are actually > building the specific context. > > Please comment/ack/nak as soon as possible. > > -Eric > > kernel/auditsc.c | 1 + > 1 file changed, 1 insertion(+) > > --- linux-2.6.18.i686/kernel/auditsc.c.orig 2006-09-27 21:53:44.000000000 > -0400 > +++ linux-2.6.18.i686/kernel/auditsc.c 2006-09-27 21:54:05.000000000 > -0400 > @@ -1116,6 +1116,7 @@ void audit_syscall_entry(int arch, int m > > context->arch = arch; > context->major = major; > + context->ppid = sys_getppid();
It looks like context->ppid is also being set in audit_log_exit(), which could overwrite the value assigned here. Should the one in audit_log_exit() be removed? > context->argv[0] = a1; > context->argv[1] = a2; > context->argv[2] = a3; > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
