On Tue, May 05, 2009 at 03:50:01PM -0400, Paul Moore wrote: > No problem. As far as I'm aware the discussion never went beyond this thread > as I was unable to recreate the problem with the (then) current kernels but > it > may not be a bad idea to get the arch folks and perhaps lkml involved if we > can narrow this down a little.
Doesn't reproduce for me with 2.6.30-rc4-git1. For our SLES11 kernel (2.6.27+patches) I needed your entry_64.S change to fix the problem. With just commit 6d208da89aabee8502debe842832ca0ab298d16d I get: [snippet] Starting auditd done ---- time->Thu May 7 12:51:46 2009 type=SYSCALL msg=audit(1241725906.513:121): arch=c000003e syscall=175 success=yes exit=0 a0=7f95478e2000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4425 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null) Shutting down auditd done Starting auditd done ---- time->Thu May 7 12:51:46 2009 type=SYSCALL msg=audit(1241725906.768:128): arch=c000003e syscall=175 success=yes exit=0 a0=7f2425e10000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4488 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null) Shutting down auditd done Starting auditd done ---- time->Thu May 7 12:51:47 2009 type=SYSCALL msg=audit(1241725907.024:135): arch=c000003e syscall=175 success=no exit=-131939334922280 a0=7f9901b9a000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4551 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null) Shutting down auditd done Starting auditd done ---- time->Thu May 7 12:51:47 2009 type=SYSCALL msg=audit(1241725907.288:142): arch=c000003e syscall=175 success=no exit=-131939285508136 a0=7f0807b15000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4614 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null) Shutting down auditd done Starting auditd done ---- time->Thu May 7 12:51:47 2009 type=SYSCALL msg=audit(1241725907.544:149): arch=c000003e syscall=175 success=yes exit=0 a0=7f053f482000 a1=1e18 a2=61a240 a3=61a240 items=0 ppid=4382 pid=4677 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=1 comm="modprobe" exe="/sbin/modprobe" key=(null) Shutting down auditd test case: for i in `seq 1 100`; do cat /dev/null > /var/log/audit/audit.log; rmmod dummy; rcauditd restart; auditctl -a entry,always -S init_module; modprobe dummy; ausearch -c modprobe; done This is on a Core2Duo. Tony -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
