Re: audit.63 kernel.

On Mon, 2005-06-20 at 10:52 +0100, David Woodhouse wrote: --- linux-2.6.9/kernel/auditsc.c.orig 2005-06-20 00:21:52.000000000 +0100 +++ linux-2.6.9/kernel/auditsc.c 2005-06-20 00:26:05.000000000 +0100 @@ -489,6 +489,9 @@ static enum audit_state audit_filter_sys int word = AUDIT_WORD(ctx->major); int bit = AUDIT_BIT(ctx->major); + if (audit_pid && ctx->pid == audit_pid) + return AUDIT_DISABLED; + rcu_read_lock(); list_for_each_entry_rcu(e, list, list) { if ((e->rule.mask[word] & bit) == bit @@ -506,6 +509,9 @@ int audit_filter_user(struct task_struct struct audit_entry *e; enum audit_state state; + if (audit_pid && tsk->pid == audit_pid) + return AUDIT_DISABLED; + rcu_read_lock(); list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) { if (audit_filter_rules(tsk, &e->rule, NULL, &state)) { @@ -866,7 +872,7 @@ void audit_free(struct task_struct *tsk) /* Check for system calls that do not go through the exit * function (e.g., exit_group), then free context block. */ - if (context->in_syscall && context->auditable && context->pid != audit_pid) + if (context->in_syscall && context->auditable) audit_log_exit(context); audit_free_context(context); @@ -971,7 +977,7 @@ void audit_syscall_exit(struct task_stru if (likely(!context)) return; - if (context->in_syscall && context->auditable && context->pid != audit_pid) + if (context->in_syscall && context->auditable) audit_log_exit(context); context->in_syscall = 0; -- dwmw2