[PATCH ghak122 v1] audit: store event sockaddr in case of no rules
Paul Moore
paul at paul-moore.com
Wed Jul 8 22:49:16 UTC 2020
On Fri, Jul 3, 2020 at 1:18 PM Richard Guy Briggs <rgb at redhat.com> wrote:
>
> When there are no rules present, the event SOCKADDR record is not
> generated due to audit_dummy_context() generated at syscall entry from
> audit_n_rules. Store this information if there is a context present to
> store it so that mandatory events are more complete (startup, LSMs...).
>
> Please see the upstream issue
> https://github.com/linux-audit/audit-kernel/issues/122
>
> Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> ---
> Passes audit-testsuite.
>
> include/linux/audit.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Do we have any certification requirements driving this change? I ask
because if we make this change, why not do the same for PATH records?
The problem of course is that doing this for both is going to be
costly, the PATH records in particular seem like they would raise a
performance regression.
I agree it would be nice to have this information, but I fear that
gating this on audit_dummy_context() is the right thing to do unless
there is a strong requirement that we always record this information.
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 03c4035a532b..07fecd99741a 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -448,7 +448,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args)
>
> static inline int audit_sockaddr(int len, void *addr)
> {
> - if (unlikely(!audit_dummy_context()))
> + if (audit_context())
> return __audit_sockaddr(len, addr);
> return 0;
> }
> --
> 1.8.3.1
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list