Question about audit_filter_rules

Richard Guy Briggs rgb at redhat.com
Wed May 16 11:37:36 UTC 2018


On 2018-05-16 08:57, Ondrej Mosnacek wrote:
> Hi,
> 
> I noticed this suspicious line in the definition of the
> audit_filter_rules function in auditsc.c:
> 
> [...]
> case AUDIT_SESSIONID:
>         sessionid = audit_get_sessionid(current);     // <--- HERE
>         result = audit_comparator(sessionid, f->op, f->val);
>         break;
> [...]
> 
> Here, the sessionid is retrieved from the current task pointer, while
> all the other code in this function compares against the tsk task
> pointer. It seems that it is not always guaranteed that tsk ==
> current, so my question is: Is it intentional for some reason or
> should it be tsk instead of current?

I'd agree you've found a bug.  I can trace it to my 2016-11-20
commit 8fae47705685fcaa75a1fe4c8c3e18300a702979
("audit: add support for session ID user filter")

It appears it should in fact be tsk rather than current.

> Ondrej Mosnacek <omosnace at redhat dot com>

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635




More information about the Linux-audit mailing list