[PATCH 2/5] audit: convert PPIDs to the inital PID namespace.
Oleg Nesterov
oleg at redhat.com
Mon Dec 30 17:07:38 UTC 2013
On 12/23, Richard Guy Briggs wrote:
>
> @@ -1839,10 +1839,10 @@ void audit_log_task_info(struct audit_buffer *ab, struct task_struct *tsk)
> spin_unlock_irq(&tsk->sighand->siglock);
>
> audit_log_format(ab,
> - " ppid=%ld pid=%d auid=%u uid=%u gid=%u"
> + " ppid=%d pid=%d auid=%u uid=%u gid=%u"
> " euid=%u suid=%u fsuid=%u"
> " egid=%u sgid=%u fsgid=%u tty=%s ses=%u",
> - sys_getppid(),
> + task_ppid_nr(tsk),
Hmm. But sys_getppid() returns tgid, not pid.
This probably means that 1/5 should use task_tgid_nr_*() ?
Note that ->real_parent is not necessarily the group leader.
> @@ -459,7 +459,7 @@ static int audit_filter_rules(struct task_struct *tsk,
> case AUDIT_PPID:
> if (ctx) {
> if (!ctx->ppid)
> - ctx->ppid = sys_getppid();
> + ctx->ppid = task_ppid_nr(tsk);
The same.
Oleg.
More information about the Linux-audit
mailing list