patch suggested by rgb for fixing auditd logs for clone syscall shows exit code as container namespace pid of child process instead of host namespace

Steve Grubb sgrubb at redhat.com
Fri Jan 5 18:07:16 UTC 2018


On Friday, January 5, 2018 6:00:01 AM EST madz car wrote:
> Hi Guys,
> 
> Please refer to the issue details at github :
> https://github.com/linux-audit/audit-kernel/issues/68
> 
> Here is a patch as suggested by rgb, i can confirm that it works.

By hooking this function, doesn't this change the return code for all 
syscalls?

-Steve

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index ecc23e2..9a78ecb 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1557,6 +1557,11 @@ void __audit_syscall_exit(int success, long
> return_code)
>  {
>         struct task_struct *tsk = current;
>         struct audit_context *context;
> +
> +        rcu_read_lock();
> +        return_code = pid_nr(find_vpid((int) return_code));
> +        rcu_read_unlock();
> +
> 
>         if (success)
>                 success = AUDITSC_SUCCESS;
> 
> 
> Kindly review.
> 
> Regards,
> Madzcar







More information about the Linux-audit mailing list