summaryrefslogtreecommitdiffstats
path: root/kernel/audit.h
diff options
context:
space:
mode:
authorRichard Guy Briggs <rgb@redhat.com>2020-03-10 09:20:17 -0400
committerPaul Moore <paul@paul-moore.com>2020-03-12 10:42:51 -0400
commit1320a4052ea11eb2879eb7361da15a106a780972 (patch)
tree335e3791ba5bc188ffad02e0328f22616ff2ef03 /kernel/audit.h
parent70b3eeed49e8190d97139806f6fbaf8964306cdb (diff)
downloadlinux-stable-1320a4052ea11eb2879eb7361da15a106a780972.tar.gz
linux-stable-1320a4052ea11eb2879eb7361da15a106a780972.tar.bz2
linux-stable-1320a4052ea11eb2879eb7361da15a106a780972.zip
audit: trigger accompanying records when no rules present
When there are no audit rules registered, mandatory records (config, etc.) are missing their accompanying records (syscall, proctitle, etc.). This is due to audit context dummy set on syscall entry based on absence of rules that signals that no other records are to be printed. Clear the dummy bit if any record is generated. The proctitle context and dummy checks are pointless since the proctitle record will not be printed if no syscall records are printed. Please see upstream github issue https://github.com/linux-audit/audit-kernel/issues/120 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'kernel/audit.h')
-rw-r--r--kernel/audit.h8
1 files changed, 8 insertions, 0 deletions
diff --git a/kernel/audit.h b/kernel/audit.h
index 6fb7160412d4..2eed4d231624 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -290,6 +290,13 @@ extern int audit_signal_info_syscall(struct task_struct *t);
extern void audit_filter_inodes(struct task_struct *tsk,
struct audit_context *ctx);
extern struct list_head *audit_killed_trees(void);
+
+static inline void audit_clear_dummy(struct audit_context *ctx)
+{
+ if (ctx)
+ ctx->dummy = 0;
+}
+
#else /* CONFIG_AUDITSYSCALL */
#define auditsc_get_stamp(c, t, s) 0
#define audit_put_watch(w) {}
@@ -323,6 +330,7 @@ static inline int audit_signal_info_syscall(struct task_struct *t)
}
#define audit_filter_inodes(t, c) AUDIT_DISABLED
+#define audit_clear_dummy(c) {}
#endif /* CONFIG_AUDITSYSCALL */
extern char *audit_unpack_string(void **bufp, size_t *remain, size_t len);