Re: audit_backlog_limit messages

On Thu, 2005-06-30 at 07:01 -0400, Steve Grubb wrote: You're right. We weren't setting ctx->pid when the context was allocated, so checking it in audit_filter_syscall() wasn't having the desired effect. This one really ought to fix it for real now... --- linux-2.6.9/kernel/auditsc.c~ 2005-06-30 17:51:02.000000000 +0100 +++ linux-2.6.9/kernel/auditsc.c 2005-06-30 21:29:48.000000000 +0100 @@ -527,7 +527,7 @@ static enum audit_state audit_filter_sys int word = AUDIT_WORD(ctx->major); int bit = AUDIT_BIT(ctx->major); - if (audit_pid && ctx->pid == audit_pid) + if (audit_pid && tsk->pid == audit_pid) return AUDIT_DISABLED; rcu_read_lock(); @@ -612,7 +612,7 @@ static inline struct audit_context *audi context->return_valid = return_valid; context->return_code = return_code; - if (context->in_syscall && !context->auditable && tsk->pid != audit_pid) { + if (context->in_syscall && !context->auditable) { enum audit_state state; state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_EXIT]); if (state == AUDIT_RECORD_CONTEXT) -- dwmw2