Hi,
I noticed this suspicious line in the definition of the
audit_filter_rules function in auditsc.c:
[...]
case AUDIT_SESSIONID:
sessionid = audit_get_sessionid(current); // <--- HERE
result = audit_comparator(sessionid, f->op, f->val);
break;
[...]
Here, the sessionid is retrieved from the current task pointer, while
all the other code in this function compares against the tsk task
pointer. It seems that it is not always guaranteed that tsk ==
current, so my question is: Is it intentional for some reason or
should it be tsk instead of current?
Thanks,
--
Ondrej Mosnacek <omosnace at redhat dot com>
Associate Software Engineer, Security Technologies
Red Hat, Inc.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
