Re: seccomp and audit_enabled

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

From: Tony Jones <tonyj@suse.de>
To: Paul Moore <paul@paul-moore.com>
Cc: Kees Cook <keescook@chromium.org>,
	linux-audit@redhat.com,
	linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: seccomp and audit_enabled
Date: Fri, 6 Nov 2015 13:36:43 -0800	[thread overview]
Message-ID: <563D1D6B.8060605@suse.de> (raw)
In-Reply-To: <CAHC9VhQgDJAW0RrORwzRT0T1BaV7BbqCQvNmW7F6n2v6_=0K6A@mail.gmail.com>

On 10/13/2015 12:19 PM, Paul Moore wrote:

> Yes, if systemd is involved it enables audit; we've had some
> discussions with the systemd folks about fixing that, but they haven't
> gone very far.  I'm still a little curious as to why
> audit_dummy_context() is false in this case, but I haven't looked at
> how systemd/auditctl start/config the system too closely.

Sorry for the delay here. 

A context is allocated by audit_alloc() because there is no uid/gid filter for the task
but the dummy flag is left false.  Because audit has been disabled (manually following systemd enabling), 
dummy never gets set in the syscall entry path (based on !audit_n_rules). So the unlikely(!audit_dummy_context())
in audit_seccomp succeeds.  

Tony

next prev parent reply	other threads:[~2015-11-06 21:36 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-10  3:50 seccomp and audit_enabled Tony Jones
2015-10-12 15:29 ` Paul Moore
2015-10-12 15:40   ` Paul Moore
2015-10-12 17:53     ` Tony Jones
2015-10-12 20:45       ` Kees Cook
2015-10-13 16:11         ` Paul Moore
2015-10-13 17:18           ` Tony Jones
2015-10-13 19:19             ` Paul Moore
2015-10-13 19:46               ` Tony Jones
2015-10-13 20:03               ` Steve Grubb
2015-11-06 21:45                 ` Tony Jones
2015-11-06 21:36               ` Tony Jones [this message]
2015-11-20 17:51                 ` Tony Jones
2015-11-20 21:26                   ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=563D1D6B.8060605@suse.de \
    --to=tonyj@suse.de \
    --cc=keescook@chromium.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).