[PATCH] Allow ppid filtering on syscall auditing
Linda Knippers
linda.knippers at hp.com
Thu Sep 28 02:35:00 UTC 2006
Eric Paris wrote:
> Currently ppid filtering on syscall auditing does not appear to work. An
> easy reproducer would be to do the following:
>
> touch ./test
> auditctl -a entry,always -S chmod -F ppid=[pid of your shell]
> chmod 000 ./test
>
> no audit record will appear! (although !=[pid of your shell] will show
> all chmod commands from all processes regardless of the ppid)
>
> With a little instrumentation I found that ctx->ppid == 0 inside
> audit_filter_rules(). I originally wanted to set the ppid during the
> context creation back in something like audit_alloc_context but that
> didn't work. Because at that point the new process had not forked off
> so the ppid of the chmod process was actually it's parents parents.
> Instead I set the ppid in audit_syscall_entry when we are actually
> building the specific context.
>
> Please comment/ack/nak as soon as possible.
>
> -Eric
>
> kernel/auditsc.c | 1 +
> 1 file changed, 1 insertion(+)
>
> --- linux-2.6.18.i686/kernel/auditsc.c.orig 2006-09-27 21:53:44.000000000 -0400
> +++ linux-2.6.18.i686/kernel/auditsc.c 2006-09-27 21:54:05.000000000 -0400
> @@ -1116,6 +1116,7 @@ void audit_syscall_entry(int arch, int m
>
> context->arch = arch;
> context->major = major;
> + context->ppid = sys_getppid();
It looks like context->ppid is also being set in audit_log_exit(),
which could overwrite the value assigned here. Should the one
in audit_log_exit() be removed?
> context->argv[0] = a1;
> context->argv[1] = a2;
> context->argv[2] = a3;
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list