search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
137 stars 36 forks source link

Q/BUG: investigate use of task_pid_nr(...) vs task_tgid_nr(...) #126

Open pcmoore opened 3 years ago

pcmoore commented 3 years ago

Most of the kernel audit code uses the TGID, or task group ID, in place of the actual PID as most users care more about the processes than threads. However there are a few places in the code where task_pid_nr(...) is used and we might want to change that. This issue is for the investigation of these call sites and any fixes that may be needed.

pcmoore commented 3 years ago

For example, here is Linus' tree from October 7, 2020:

% grep "task_pid_nr" kernel/audit*.c
kernel/audit.c:                  task_pid_nr(current),
kernel/auditfilter.c:                           pid = task_pid_nr(current);
kernel/auditsc.c:       audit_log_format(ab, " pid=%u", task_pid_nr(current));
rgbriggs commented 3 years ago

On 2020-10-07 18:21, Paul Moore wrote:

For example, here is Linus' tree from October 7, 2020:


% grep "task_pid_nr" kernel/audit*.c
kernel/audit.c:                  task_pid_nr(current),

This first one is my fault, resurrecting old code for logging multicast joins/parts from before task_tgid_nr() was fixed by you in 2016 ("audit: consistently record PIDs with task_tgid_nr()").

kernel/auditfilter.c: pid = task_pid_nr(current);

This one is also my doing, converting from task_pid_vnr(), likely should be converted to task_tgid_nr().

kernel/auditsc.c: audit_log_format(ab, " pid=%u", task_pid_nr(current));

This third one is a similar scenario for the netfilter configuration patches and probably should be converted.