On Wed, Feb 14, 2018 at 8:18 AM, Richard Guy Briggs <r...@redhat.com> wrote: > Audit link denied events emit disjointed records when audit is disabled. > No records should be emitted when audit is disabled. > > See: https://github.com/linux-audit/audit-kernel/issues/21 > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > kernel/audit.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/kernel/audit.c b/kernel/audit.c > index 227db99..4c3fd24 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2261,6 +2261,9 @@ void audit_log_link_denied(const char *operation, const > struct path *link) > struct audit_buffer *ab; > struct audit_names *name; > > + if (!audit_enabled || audit_dummy_context()) > + return; > + > name = kzalloc(sizeof(*name), GFP_NOFS); > if (!name) > return;
Doesn't this means errors here would be silent if audit isn't enabled? I don't that; sysadmins should see this notification regardless of the audit state... -Kees -- Kees Cook Pixel Security -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit