From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: [PATCH] -V2 Allow ppid filtering on syscall auditing
Date: Thu, 28 Sep 2006 16:03:06 -0400
Message-ID: <1159473786.3228.138.camel@localhost.localdomain>
References: <1159409455.3228.84.camel@localhost.localdomain>
	<451B34D4.90607@hp.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <451B34D4.90607@hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linda Knippers <linda.knippers@hp.com>
Cc: linux-audit@redhat.com, David Woodhouse <dwmw2@redhat.com>
List-Id: linux-audit@redhat.com

Currently ppid filtering on syscall auditing does not appear to work. An
easy reproducer would be to do the following:

touch ./test
auditctl -a entry,always -S chmod -F ppid=[pid of your shell]
chmod 000 ./test

no audit record will appear! (although !=[pid of your shell] will show
all chmod commands from all processes regardless of the ppid)

With a little instrumentation I found that ctx->ppid == 0 inside
audit_filter_rules().  I originally wanted to set the ppid during the
context creation back in something like audit_alloc_context but that
didn't work.  Because at that point the new process had not forked off
so the ppid of the chmod process was actually it's parents parents.
Instead I set the ppid in  audit_syscall_entry when we are actually
building the specific context.

After some looking I did not see a way to get into audit_log_exit
without having set the ppid.  So I am dropping the set from there and
only doing it at the beginning.

Please comment/ack/nak as soon as possible.
 
-Eric

 kernel/auditsc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- linux-2.6.18.i686/kernel/auditsc.c.orig	2006-09-27 21:53:44.000000000 -0400
+++ linux-2.6.18.i686/kernel/auditsc.c	2006-09-28 15:51:44.000000000 -0400
@@ -795,7 +795,6 @@ static void audit_log_exit(struct audit_
 
 	/* tsk == current */
 	context->pid = tsk->pid;
-	context->ppid = sys_getppid();	/* sic.  tsk == current in all cases */
 	context->uid = tsk->uid;
 	context->gid = tsk->gid;
 	context->euid = tsk->euid;
@@ -1116,6 +1115,7 @@ void audit_syscall_entry(int arch, int m
 
 	context->arch	    = arch;
 	context->major      = major;
+	context->ppid       = sys_getppid();
 	context->argv[0]    = a1;
 	context->argv[1]    = a2;
 	context->argv[2]    = a3;