From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: [PATCH] Allow ppid filtering on syscall auditing Date: Wed, 27 Sep 2006 22:10:55 -0400 Message-ID: <1159409455.3228.84.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: David Woodhouse List-Id: linux-audit@redhat.com Currently ppid filtering on syscall auditing does not appear to work. An easy reproducer would be to do the following: touch ./test auditctl -a entry,always -S chmod -F ppid=[pid of your shell] chmod 000 ./test no audit record will appear! (although !=[pid of your shell] will show all chmod commands from all processes regardless of the ppid) With a little instrumentation I found that ctx->ppid == 0 inside audit_filter_rules(). I originally wanted to set the ppid during the context creation back in something like audit_alloc_context but that didn't work. Because at that point the new process had not forked off so the ppid of the chmod process was actually it's parents parents. Instead I set the ppid in audit_syscall_entry when we are actually building the specific context. Please comment/ack/nak as soon as possible. -Eric kernel/auditsc.c | 1 + 1 file changed, 1 insertion(+) --- linux-2.6.18.i686/kernel/auditsc.c.orig 2006-09-27 21:53:44.000000000 -0400 +++ linux-2.6.18.i686/kernel/auditsc.c 2006-09-27 21:54:05.000000000 -0400 @@ -1116,6 +1116,7 @@ void audit_syscall_entry(int arch, int m context->arch = arch; context->major = major; + context->ppid = sys_getppid(); context->argv[0] = a1; context->argv[1] = a2; context->argv[2] = a3;