Escalated to Bugzilla from IssueTracker
It's not exactly backwards. It's actually that ctx->ppid in audit_filter_rules is actually set to 0. That is supposed to be the ppid of the task which made the call. (I'm not sure why i couldn't just use sys_getppid() there, but i'm going to figure out why this isn't set.
Created attachment 137281 [details] Patch sent to linux-audit for review
patch posted for review on 9/29/06
in kernel-2.6.18-1.2718.el5