[PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text
Andy Lutomirski
luto at amacapital.net
Thu May 29 01:44:01 UTC 2014
Here are some issues with the code:
- It thinks that syscalls have four arguments.
- It's a performance disaster.
- It assumes that syscall numbers are between 0 and 2048.
- It's unclear whether it's supposed to be reliable.
- It's broken on things like x32.
- It can't support ARM OABI.
- Its approach to freeing memory is terrifying.
Signed-off-by: Andy Lutomirski <luto at amacapital.net>
---
init/Kconfig | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index 9d3585b..24d4b53 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -296,13 +296,16 @@ config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- bool "Enable system-call auditing support"
- depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
+ bool "Enable system-call auditing support (not recommended)"
+ depends on AUDIT && HAVE_ARCH_AUDITSYSCALL && BROKEN
default y if SECURITY_SELINUX
help
- Enable low-overhead system-call auditing infrastructure that
- can be used independently or with another kernel subsystem,
- such as SELinux.
+ Enable system-call auditing infrastructure that can be used
+ independently or with another kernel subsystem, such as
+ SELinux.
+
+ AUDITSYSCALL has serious performance and correctness issues.
+ Use it with extreme caution.
config AUDIT_WATCH
def_bool y
--
1.9.3
More information about the Linux-audit
mailing list