When there are no rules present, the event SOCKADDR record is not generated due to audit_dummy_context() generated at syscall entry from audit_n_rules. Store this information if there is a context present to store it so that mandatory events are more complete (startup, LSMs...).
Please see the upstream issue https://github.com/linux-audit/audit-kernel/issues/122 Signed-off-by: Richard Guy Briggs <[email protected]> --- Passes audit-testsuite. include/linux/audit.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 03c4035a532b..07fecd99741a 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -448,7 +448,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args) static inline int audit_sockaddr(int len, void *addr) { - if (unlikely(!audit_dummy_context())) + if (audit_context()) return __audit_sockaddr(len, addr); return 0; } -- 1.8.3.1 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
