[PATCH] security: lsm_audit: print pid and tid
Paul Moore
paul at paul-moore.com
Tue Aug 30 20:18:08 UTC 2016
On Tue, Aug 30, 2016 at 11:03 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, August 17, 2016 4:58:02 PM EDT Paul Moore wrote:
>> On Tue, Jul 26, 2016 at 10:54 AM, Jeff Vander Stoep <jeffv at google.com> wrote:
>> > dump_common_audit_data() currently contains a field for pid, but the
>> > value printed is actually the thread ID, tid. Update this value to
>> > return the task group ID. Add a new field for tid. With this change
>> > the values printed by audit now match the values returned by the
>> > getpid() and gettid() syscalls.
>> >
>> > Signed-off-by: Jeff Vander Stoep <jeffv at google.com>
>> > ---
>> >
>> > security/lsm_audit.c | 7 +++++--
>> > 1 file changed, 5 insertions(+), 2 deletions(-)
>>
>> Hi Jeff,
>>
>> Have you tested this against the audit-testsuite[1]? We don't have an
>> explicit PID test yet, but at least two of the tests do test it as a
>> side effect.
>>
>> Steve, I don't see the thread ID listed in the field dictionary, are
>> you okay with using "tid" for this?
>
> Yes. Can someone add both?
Yes, I'll add "tid" to the field DB once we commit the kernel patch.
>> However, as far as I can see, the biggest problem with this patch is
>> that it adds a field in the middle of a record which will likely cause
>> the audit userspace tools to explode (or so I've been warned in the
>> past). Steve, what say you about the userspace?
>
> This is OK. After picking out pid, search utiliies scan for comm. They will
> just skip over the new field. If fields that we normally search change order,
> then we have a problem.
>
> So, ACK on my end.
Okay, thanks. If we blow up your userspace I'll remind you of this
conversation ;)
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list