Question about audit_filter_rules
Richard Guy Briggs
rgb at redhat.com
Wed May 16 11:37:36 UTC 2018
On 2018-05-16 08:57, Ondrej Mosnacek wrote:
> Hi,
>
> I noticed this suspicious line in the definition of the
> audit_filter_rules function in auditsc.c:
>
> [...]
> case AUDIT_SESSIONID:
> sessionid = audit_get_sessionid(current); // <--- HERE
> result = audit_comparator(sessionid, f->op, f->val);
> break;
> [...]
>
> Here, the sessionid is retrieved from the current task pointer, while
> all the other code in this function compares against the tsk task
> pointer. It seems that it is not always guaranteed that tsk ==
> current, so my question is: Is it intentional for some reason or
> should it be tsk instead of current?
I'd agree you've found a bug. I can trace it to my 2016-11-20
commit 8fae47705685fcaa75a1fe4c8c3e18300a702979
("audit: add support for session ID user filter")
It appears it should in fact be tsk rather than current.
> Ondrej Mosnacek <omosnace at redhat dot com>
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list