audit_backlog_limit messages
David Woodhouse
dwmw2 at infradead.org
Thu Jun 30 20:35:50 UTC 2005
On Thu, 2005-06-30 at 07:01 -0400, Steve Grubb wrote:
> Just a guess. Its using ctx->pid. Maybe tsk->pid is better?
You're right. We weren't setting ctx->pid when the context was
allocated, so checking it in audit_filter_syscall() wasn't having the
desired effect. This one really ought to fix it for real now...
--- linux-2.6.9/kernel/auditsc.c~ 2005-06-30 17:51:02.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-06-30 21:29:48.000000000 +0100
@@ -527,7 +527,7 @@ static enum audit_state audit_filter_sys
int word = AUDIT_WORD(ctx->major);
int bit = AUDIT_BIT(ctx->major);
- if (audit_pid && ctx->pid == audit_pid)
+ if (audit_pid && tsk->pid == audit_pid)
return AUDIT_DISABLED;
rcu_read_lock();
@@ -612,7 +612,7 @@ static inline struct audit_context *audi
context->return_valid = return_valid;
context->return_code = return_code;
- if (context->in_syscall && !context->auditable && tsk->pid != audit_pid) {
+ if (context->in_syscall && !context->auditable) {
enum audit_state state;
state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]);
if (state == AUDIT_RECORD_CONTEXT)
--
dwmw2
More information about the Linux-audit
mailing list