From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tony Jones Subject: Re: seccomp and audit_enabled Date: Fri, 20 Nov 2015 09:51:58 -0800 Message-ID: <564F5DBE.5020605@suse.de> References: <56188AE9.4030306@suse.de> <9092019.92r82W6k9o@sifl> <4636418.ofTBd0bpCf@sifl> <561BF39B.5050209@suse.de> <561D3D03.30300@suse.de> <563D1D6B.8060605@suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <563D1D6B.8060605@suse.de> Sender: owner-linux-security-module@vger.kernel.org To: Paul Moore Cc: linux-security-module , linux-audit@redhat.com List-Id: linux-audit@redhat.com On 11/06/2015 01:36 PM, Tony Jones wrote: > On 10/13/2015 12:19 PM, Paul Moore wrote: > >> Yes, if systemd is involved it enables audit; we've had some >> discussions with the systemd folks about fixing that, but they haven't >> gone very far. I'm still a little curious as to why >> audit_dummy_context() is false in this case, but I haven't looked at >> how systemd/auditctl start/config the system too closely. > > Sorry for the delay here. > > A context is allocated by audit_alloc() because there is no uid/gid filter for the task > but the dummy flag is left false. Because audit has been disabled (manually following systemd enabling), > dummy never gets set in the syscall entry path (based on !audit_n_rules). So the unlikely(!audit_dummy_context()) > in audit_seccomp succeeds. > > Tony Any comments on this? Current interaction between enabled_enabled and dummy flag seems wrong to me. I can code up a patch. Tony