Hi, I noticed this suspicious line in the definition of the audit_filter_rules function in auditsc.c:
[...] case AUDIT_SESSIONID: sessionid = audit_get_sessionid(current); // <--- HERE result = audit_comparator(sessionid, f->op, f->val); break; [...] Here, the sessionid is retrieved from the current task pointer, while all the other code in this function compares against the tsk task pointer. It seems that it is not always guaranteed that tsk == current, so my question is: Is it intentional for some reason or should it be tsk instead of current? Thanks, -- Ondrej Mosnacek <omosnace at redhat dot com> Associate Software Engineer, Security Technologies Red Hat, Inc. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit