Discussion:
[RFC PATCH ghak87 V1] audit: tie SECCOMP records to syscall
Richard Guy Briggs
2018-05-31 20:27:24 UTC
Permalink
Since seccomp events are triggered by user activity, tie the SECCOMP
record to the syscall record to collect all records from the same event.

See: https://github.com/linux-audit/audit-kernel/issues/87

Signed-off-by: Richard Guy Briggs <***@redhat.com>
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ceb1c45..fefb9e2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2485,7 +2485,7 @@ void audit_seccomp(unsigned long syscall, long signr, int code)
{
struct audit_buffer *ab;

- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
if (unlikely(!ab))
return;
audit_log_task(ab);
--
1.8.3.1
Paul Moore
2018-06-04 22:25:41 UTC
Permalink
Post by Richard Guy Briggs
Since seccomp events are triggered by user activity, tie the SECCOMP
record to the syscall record to collect all records from the same event.
See: https://github.com/linux-audit/audit-kernel/issues/87
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Looks good to me, queued up for after the merge window.
Post by Richard Guy Briggs
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ceb1c45..fefb9e2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2485,7 +2485,7 @@ void audit_seccomp(unsigned long syscall, long signr, int code)
{
struct audit_buffer *ab;
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
if (unlikely(!ab))
return;
audit_log_task(ab);
--
1.8.3.1
--
paul moore
www.paul-moore.com
Paul Moore
2018-06-19 14:29:24 UTC
Permalink
Post by Richard Guy Briggs
Since seccomp events are triggered by user activity, tie the SECCOMP
record to the syscall record to collect all records from the same event.
See: https://github.com/linux-audit/audit-kernel/issues/87
---
kernel/auditsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Merged, thanks.
Post by Richard Guy Briggs
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ceb1c45..fefb9e2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2485,7 +2485,7 @@ void audit_seccomp(unsigned long syscall, long signr, int code)
{
struct audit_buffer *ab;
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
+ ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
if (unlikely(!ab))
return;
audit_log_task(ab);
--
1.8.3.1
--
paul moore
www.paul-moore.com
Loading...