Tony Jones <[email protected]> wrote: > I'm not seeing the 'tsk->real_cred' usage, can you clarify?
get_task_cred() and task_cred_xxxx() call __task_cred() which uses tsk->real_cred. These are the real credentials of the process, and the ones that are used when the process is being acted upon and the ones that are visible through /proc. However, if a task is acting upon something, task->cred is used instead. These are not visible from the outside and may be overridden. current_cred_xxx() uses these. It's possible that the credentials being used in audit_filter_rules() are incorrect under most circumstances and should be task->cred, not task->real_cred. David -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
