[RFC][PATCH] Inherit loginuid from parent
Serge Hallyn
serue at us.ibm.com
Fri Jan 7 00:42:30 UTC 2005
This patch works for me. Odd thing is I would have thought I would have
noticed this behavior before.
I'm testing it by hacking auditctl.c to do an execl("/bin/sh",
"/bin/sh"); if it was called on a -L. Before the "auditctl -L 25,ab" my
loginuid is -1, after (on, say, a "auditctl -m cd") it is 25. Without
the patch, it is always -1.
Is that (-1 default loginuid until PAM sets it) the desired behavior?
-serge
On Thu, 2005-01-06 at 13:27 -0500, Stephen Smalley wrote:
> Hi,
>
> I might be mis-reading the code, but it appears that the current
> audit_alloc() code is not preserving the loginuid of the parent process
> for the child process upon a fork or clone. Instead, it is checking to
> see if the just-created child has an existing audit context and if so,
> copies the loginuid from it, which seems nonsensical, especially as it
> does nothing to free any existing audit context if one exists already.
> Does this patch look correct? In this context, tsk == the child, and
> current == the parent. The child has not yet started execution at this
> point; it is still being setup by the fork/clone code.
>
> --- linux-2.6.10/kernel/auditsc.c.orig 2005-01-06 13:11:51.000000000 -0500
> +++ linux-2.6.10/kernel/auditsc.c 2005-01-06 13:14:28.000000000 -0500
> @@ -549,8 +549,8 @@ int audit_alloc(struct task_struct *tsk)
>
> /* Preserve login uid */
> context->loginuid = -1;
> - if (tsk->audit_context)
> - context->loginuid = tsk->audit_context->loginuid;
> + if (current->audit_context)
> + context->loginuid = current->audit_context->loginuid;
>
> tsk->audit_context = context;
> set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
>
--
Serge Hallyn <serue at us.ibm.com>
More information about the Linux-audit
mailing list