Re: audit 0.9.17 released
On Wed, 2005-07-13 at 16:41 -0400, Linda Knippers wrote:
I don't know that what I'm seeing is a problem with the tools
or with
the kernel but I can get my system into a state where I'm seeing lots
of audit records for auditd. The records are for a pid one greater
than the pid that 'auditctl -s' reports.
This should be fixed in the audit.76 kernel, which is currently
building. We were exempting only one thread from auditing, not the whole
thread-group.
--- linux-2.6.9/kernel/auditsc.c~ 2005-06-30 21:29:48.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-07-13 21:34:12.000000000 +0100
@@ -527,7 +527,7 @@ static enum audit_state audit_filter_sys
int word = AUDIT_WORD(ctx->major);
int bit = AUDIT_BIT(ctx->major);
- if (audit_pid && tsk->pid == audit_pid)
+ if (audit_pid && tsk->tgid == audit_pid)
return AUDIT_DISABLED;
rcu_read_lock();
@@ -1311,7 +1311,7 @@ void audit_signal_info(int sig, struct t
extern pid_t audit_sig_pid;
extern uid_t audit_sig_uid;
- if (unlikely(audit_pid && t->pid == audit_pid)) {
+ if (unlikely(audit_pid && t->tgid == audit_pid)) {
if (sig == SIGTERM || sig == SIGHUP) {
struct audit_context *ctx = current->audit_context;
audit_sig_pid = current->pid;
--
dwmw2