From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: Question about audit_filter_rules Date: Wed, 16 May 2018 07:37:36 -0400 Message-ID: <20180516113736.u6ahthjateyarw3j@madcap2.tricolour.ca> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Ondrej Mosnacek Cc: Linux-Audit Mailing List List-Id: linux-audit@redhat.com On 2018-05-16 08:57, Ondrej Mosnacek wrote: > Hi, > > I noticed this suspicious line in the definition of the > audit_filter_rules function in auditsc.c: > > [...] > case AUDIT_SESSIONID: > sessionid = audit_get_sessionid(current); // <--- HERE > result = audit_comparator(sessionid, f->op, f->val); > break; > [...] > > Here, the sessionid is retrieved from the current task pointer, while > all the other code in this function compares against the tsk task > pointer. It seems that it is not always guaranteed that tsk == > current, so my question is: Is it intentional for some reason or > should it be tsk instead of current? I'd agree you've found a bug. I can trace it to my 2016-11-20 commit 8fae47705685fcaa75a1fe4c8c3e18300a702979 ("audit: add support for session ID user filter") It appears it should in fact be tsk rather than current. > Ondrej Mosnacek - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635