patch suggested by rgb for fixing auditd logs for clone syscall shows exit code as container namespace pid of child process instead of host namespace
Steve Grubb
sgrubb at redhat.com
Fri Jan 5 18:07:16 UTC 2018
On Friday, January 5, 2018 6:00:01 AM EST madz car wrote:
> Hi Guys,
>
> Please refer to the issue details at github :
> https://github.com/linux-audit/audit-kernel/issues/68
>
> Here is a patch as suggested by rgb, i can confirm that it works.
By hooking this function, doesn't this change the return code for all
syscalls?
-Steve
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index ecc23e2..9a78ecb 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1557,6 +1557,11 @@ void __audit_syscall_exit(int success, long
> return_code)
> {
> struct task_struct *tsk = current;
> struct audit_context *context;
> +
> + rcu_read_lock();
> + return_code = pid_nr(find_vpid((int) return_code));
> + rcu_read_unlock();
> +
>
> if (success)
> success = AUDITSC_SUCCESS;
>
>
> Kindly review.
>
> Regards,
> Madzcar
More information about the Linux-audit
mailing list