From: Tony Jones <tonyj@suse.de>
To: Steve Grubb <sgrubb@redhat.com>
Cc: chrisw@sous-sol.org, linux-audit@redhat.com,
linux-kernel@vger.kernel.org, viro@ftp.linux.org.uk
Subject: Re: [PATCH] audit: clear thread flag for new children
Date: Mon, 29 Oct 2007 16:15:30 -0700 [thread overview]
Message-ID: <20071029231529.GB15210@suse.de> (raw)
In-Reply-To: <200710291804.31784.sgrubb@redhat.com>
On Mon, Oct 29, 2007 at 06:04:31PM -0400, Steve Grubb wrote:
> If the child does not have the TIF_SYSCALL_AUDIT flag, it never goes into
> audit_syscall_entry. It becomes unauditable.
True but a task where current->audit_context == NULL is going to immediately
BUG out in audit_syscall_entry. This is why the invocations of
audit_syscall_entry() are conditional on current->audit_context.
> So when audit is re-enabled, how do you make that task auditable?
No idea. How do you do it currently? HINT: current->audit_context == NULL
for these tasks. If !audit_enabled, then audit_alloc() is not going to
allocate an audit_context for the task.
I'm very curious how you think one of these tasks becomes auditable later
on once audit is re-enabled, regardless of the value of TIF_SYSCALL_AUDIT.
Tony
WARNING: multiple messages have this Message-ID (diff)
From: Tony Jones <tonyj@suse.de>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org,
chrisw@sous-sol.org, viro@ftp.linux.org.uk
Subject: Re: [PATCH] audit: clear thread flag for new children
Date: Mon, 29 Oct 2007 16:15:30 -0700 [thread overview]
Message-ID: <20071029231529.GB15210@suse.de> (raw)
In-Reply-To: <200710291804.31784.sgrubb@redhat.com>
On Mon, Oct 29, 2007 at 06:04:31PM -0400, Steve Grubb wrote:
> If the child does not have the TIF_SYSCALL_AUDIT flag, it never goes into
> audit_syscall_entry. It becomes unauditable.
True but a task where current->audit_context == NULL is going to immediately
BUG out in audit_syscall_entry. This is why the invocations of
audit_syscall_entry() are conditional on current->audit_context.
> So when audit is re-enabled, how do you make that task auditable?
No idea. How do you do it currently? HINT: current->audit_context == NULL
for these tasks. If !audit_enabled, then audit_alloc() is not going to
allocate an audit_context for the task.
I'm very curious how you think one of these tasks becomes auditable later
on once audit is re-enabled, regardless of the value of TIF_SYSCALL_AUDIT.
Tony
next prev parent reply other threads:[~2007-10-29 23:15 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-26 20:42 [PATCH] audit: clear thread flag for new children Tony Jones
2007-10-26 20:42 ` Tony Jones
2007-10-26 22:42 ` Chris Wright
2007-10-27 14:21 ` Steve Grubb
2007-10-27 14:21 ` Steve Grubb
2007-10-29 17:20 ` Tony Jones
2007-10-29 17:20 ` Tony Jones
2007-10-29 22:04 ` Steve Grubb
2007-10-29 22:04 ` Steve Grubb
2007-10-29 23:15 ` Tony Jones [this message]
2007-10-29 23:15 ` Tony Jones
2007-11-01 14:33 ` Steve Grubb
2007-11-01 14:33 ` Steve Grubb
2007-11-01 17:23 ` Tony Jones
2007-11-01 17:23 ` Tony Jones
2007-11-01 18:34 ` Steve Grubb
2007-11-01 18:34 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071029231529.GB15210@suse.de \
--to=tonyj@suse.de \
--cc=chrisw@sous-sol.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sgrubb@redhat.com \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.