Re: [PATCH 4/5] audit: anchor all pid references in the initial pid namespace
On 12/23, Richard Guy Briggs wrote:
Store and log all PIDs with reference to the initial PID namespace and
use the access functions task_pid_nr() and task_tgid_nr() for task->pid
and task->tgid rather than access them directly.
At first glance this patch looks like a good cleanup, but...
@@ -429,6 +429,19 @@ static struct audit_entry
*audit_data_to_entry(struct audit_rule_data *data,
f->val = 0;
}
+ if ((f->type == AUDIT_PID) || (f->type == AUDIT_PPID)) {
+ struct pid *pid;
+ rcu_read_lock();
+ pid = find_vpid(f->val);
+ if (!pid) {
+ rcu_read_unlock();
+ err = -ESRCH;
+ goto exit_free;
+ }
+ f->val = pid_nr(pid);
+ rcu_read_unlock();
+ }
I do not really understand this change, but this doesn't matter, I do
not understand audit.
However, I think this deserves a separate patch with the changelog.
@@ -278,9 +278,12 @@ static void dump_common_audit_data(struct
audit_buffer *ab,
}
case LSM_AUDIT_DATA_TASK:
tsk = a->u.tsk;
- if (tsk && tsk->pid) {
- audit_log_format(ab, " pid=%d comm=", tsk->pid);
- audit_log_untrustedstring(ab, tsk->comm);
+ if (tsk) {
+ pid_t pid = task_pid_nr(tsk);
+ if (pid) {
+ audit_log_format(ab, " pid=%d comm=", pid);
+ audit_log_untrustedstring(ab, tsk->comm);
Just curious, is it really possible that a->u.tsk is an idle thread?
Oleg.