[PATCH] PPID filtering fix

On Thu, Sep 28, 2006 at 04:03:06PM -0400, Eric Paris wrote:
> After some looking I did not see a way to get into audit_log_exit
> without having set the ppid.  So I am dropping the set from there and
> only doing it at the beginning.
>
> Please comment/ack/nak as soon as possible.

Ehh...  That's one hell of an overhead to be had ;-/  Let's be lazy.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 105147631753f1b4f68fc17878a0e4531b436593..b61c0191f3da59a657fb2e6f7196eff248884f0b 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -278,8 +278,11 @@ static int audit_filter_rules(struct task_struct *tsk,
                        result = audit_comparator(tsk->pid, f->op, f->val);
                        break;
                case AUDIT_PPID:
-                       if (ctx)
+                       if (ctx) {
+                               if (!ctx->ppid)
+                                       ctx->ppid = sys_getppid();
                                result = audit_comparator(ctx->ppid, f->op, f->val);
+                       }
                        break;
                case AUDIT_UID:
                        result = audit_comparator(tsk->uid, f->op, f->val);
@@ -795,7 +798,8 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
 
        /* tsk == current */
        context->pid = tsk->pid;
-       context->ppid = sys_getppid();  /* sic.  tsk == current in all cases */
+       if (!context->ppid)
+               context->ppid = sys_getppid();
        context->uid = tsk->uid;
        context->gid = tsk->gid;
        context->euid = tsk->euid;
@@ -1137,6 +1141,7 @@ void audit_syscall_entry(int arch, int major,
        context->ctime      = CURRENT_TIME;
        context->in_syscall = 1;
        context->auditable  = !!(state == AUDIT_RECORD_CONTEXT);
+       context->ppid       = 0;
 }
 
 /**