seccomp and audit_enabled
Tony Jones
tonyj at suse.de
Fri Nov 20 17:51:58 UTC 2015
On 11/06/2015 01:36 PM, Tony Jones wrote:
> On 10/13/2015 12:19 PM, Paul Moore wrote:
>
>> Yes, if systemd is involved it enables audit; we've had some
>> discussions with the systemd folks about fixing that, but they haven't
>> gone very far. I'm still a little curious as to why
>> audit_dummy_context() is false in this case, but I haven't looked at
>> how systemd/auditctl start/config the system too closely.
>
> Sorry for the delay here.
>
> A context is allocated by audit_alloc() because there is no uid/gid filter for the task
> but the dummy flag is left false. Because audit has been disabled (manually following systemd enabling),
> dummy never gets set in the syscall entry path (based on !audit_n_rules). So the unlikely(!audit_dummy_context())
> in audit_seccomp succeeds.
>
> Tony
Any comments on this? Current interaction between enabled_enabled and dummy flag seems wrong to me. I can code up
a patch.
Tony
More information about the Linux-audit
mailing list