From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: patch suggested by rgb for fixing auditd logs for clone syscall
	shows exit code as container namespace pid of child process
	instead of host namespace
Date: Fri, 05 Jan 2018 13:07:16 -0500
Message-ID: <1914895.SJHJx90rDh@x2>
References: <CAEcbJGGy33yx5rjeo+nrJJKLy-fUvpB+u55ptDw-oQYdrrVc3w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAEcbJGGy33yx5rjeo+nrJJKLy-fUvpB+u55ptDw-oQYdrrVc3w@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, January 5, 2018 6:00:01 AM EST madz car wrote:
> Hi Guys,
> 
> Please refer to the issue details at github :
> https://github.com/linux-audit/audit-kernel/issues/68
> 
> Here is a patch as suggested by rgb, i can confirm that it works.

By hooking this function, doesn't this change the return code for all 
syscalls?

-Steve

> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index ecc23e2..9a78ecb 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1557,6 +1557,11 @@ void __audit_syscall_exit(int success, long
> return_code)
>  {
>         struct task_struct *tsk = current;
>         struct audit_context *context;
> +
> +        rcu_read_lock();
> +        return_code = pid_nr(find_vpid((int) return_code));
> +        rcu_read_unlock();
> +
> 
>         if (success)
>                 success = AUDITSC_SUCCESS;
> 
> 
> Kindly review.
> 
> Regards,
> Madzcar