audit system still audits auditd
David Woodhouse
dwmw2 at infradead.org
Sun Jun 19 23:33:11 UTC 2005
On Wed, 2005-06-15 at 18:56 -0400, Steve Grubb wrote:
> auditctl -a entry,always -S all -F auid=-1
>
> It turns out this tends to report auditd doing things:
Oops, we weren't correctly excluding auditd in all cases -- in fact we
were only doing it for syscall _exit_. I'm testing a patch in the
current build which should fix that...
--- linux-2.6.9/kernel/auditsc.c.orig 2005-06-20 00:21:52.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-06-20 00:26:05.000000000 +0100
@@ -489,6 +489,9 @@ static enum audit_state audit_filter_sys
int word = AUDIT_WORD(ctx->major);
int bit = AUDIT_BIT(ctx->major);
+ if (audit_pid && ctx->pid == audit_pid)
+ return AUDIT_DISABLED;
+
rcu_read_lock();
list_for_each_entry_rcu(e, list, list) {
if ((e->rule.mask[word] & bit) == bit
@@ -506,6 +509,9 @@ int audit_filter_user(struct task_struct
struct audit_entry *e;
enum audit_state state;
+ if (audit_pid && tsk->pid == audit_pid)
+ return AUDIT_DISABLED;
+
rcu_read_lock();
list_for_each_entry_rcu(e, &audit_filter_list[AUDIT_FILTER_USER], list) {
if (audit_filter_rules(tsk, &e->rule, NULL, &state)) {
@@ -866,7 +872,7 @@ void audit_free(struct task_struct *tsk)
/* Check for system calls that do not go through the exit
* function (e.g., exit_group), then free context block. */
- if (context->in_syscall && context->auditable && context->pid != audit_pid)
+ if (context->in_syscall && context->auditable)
audit_log_exit(context);
audit_free_context(context);
@@ -971,7 +977,7 @@ void audit_syscall_exit(struct task_stru
if (likely(!context))
return;
- if (context->in_syscall && context->auditable && context->pid != audit_pid)
+ if (context->in_syscall && context->auditable)
audit_log_exit(context);
context->in_syscall = 0;
--
dwmw2
More information about the Linux-audit
mailing list