[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC][PATCH] Inherit loginuid from parent

This patch works for me.  Odd thing is I would have thought I would have
noticed this behavior before.

I'm testing it by hacking auditctl.c to do an execl("/bin/sh",
"/bin/sh"); if it was called on a -L.  Before the "auditctl -L 25,ab" my
loginuid is -1, after (on, say, a "auditctl -m cd") it is 25.  Without
the patch, it is always -1.

Is that (-1 default loginuid until PAM sets it) the desired behavior?


On Thu, 2005-01-06 at 13:27 -0500, Stephen Smalley wrote:
> Hi,
> I might be mis-reading the code, but it appears that the current
> audit_alloc() code is not preserving the loginuid of the parent process
> for the child process upon a fork or clone.  Instead, it is checking to
> see if the just-created child has an existing audit context and if so,
> copies the loginuid from it, which seems nonsensical, especially as it
> does nothing to free any existing audit context if one exists already. 
> Does this patch look correct?  In this context, tsk == the child, and
> current == the parent.  The child has not yet started execution at this
> point; it is still being setup by the fork/clone code. 
> --- linux-2.6.10/kernel/auditsc.c.orig	2005-01-06 13:11:51.000000000 -0500
> +++ linux-2.6.10/kernel/auditsc.c	2005-01-06 13:14:28.000000000 -0500
> @@ -549,8 +549,8 @@ int audit_alloc(struct task_struct *tsk)
>  				/* Preserve login uid */
>  	context->loginuid = -1;
> -	if (tsk->audit_context)
> -		context->loginuid = tsk->audit_context->loginuid;
> +	if (current->audit_context)
> +		context->loginuid = current->audit_context->loginuid;
>  	tsk->audit_context  = context;
>  	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);
Serge Hallyn <serue us ibm com>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]