From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tony Jones <tonyj@suse.de>
Subject: Re: seccomp and audit_enabled
Date: Fri, 6 Nov 2015 13:36:43 -0800
Message-ID: <563D1D6B.8060605@suse.de>
References: <56188AE9.4030306@suse.de> <9092019.92r82W6k9o@sifl>
 <4636418.ofTBd0bpCf@sifl> <561BF39B.5050209@suse.de>
 <CAGXu5jKogSW-Qo+CabVHgZ7tx-1WE=MAJd+Khu5M2AMxwTS_vA@mail.gmail.com>
 <CAHC9VhSVOe53Mp64_kG7NeGEPsXei2EfGJUg4GtYqvyoX8oKxg@mail.gmail.com>
 <561D3D03.30300@suse.de>
 <CAHC9VhQgDJAW0RrORwzRT0T1BaV7BbqCQvNmW7F6n2v6_=0K6A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Return-path: <linux-security-module-owner@vger.kernel.org>
In-Reply-To: <CAHC9VhQgDJAW0RrORwzRT0T1BaV7BbqCQvNmW7F6n2v6_=0K6A@mail.gmail.com>
Sender: owner-linux-security-module@vger.kernel.org
To: Paul Moore <paul@paul-moore.com>
Cc: Kees Cook <keescook@chromium.org>, linux-audit@redhat.com, linux-security-module <linux-security-module@vger.kernel.org>
List-Id: linux-audit@redhat.com

On 10/13/2015 12:19 PM, Paul Moore wrote:

> Yes, if systemd is involved it enables audit; we've had some
> discussions with the systemd folks about fixing that, but they haven't
> gone very far.  I'm still a little curious as to why
> audit_dummy_context() is false in this case, but I haven't looked at
> how systemd/auditctl start/config the system too closely.

Sorry for the delay here. 

A context is allocated by audit_alloc() because there is no uid/gid filter for the task
but the dummy flag is left false.  Because audit has been disabled (manually following systemd enabling), 
dummy never gets set in the syscall entry path (based on !audit_n_rules). So the unlikely(!audit_dummy_context())
in audit_seccomp succeeds.  

Tony