Tracefs or debugfs were causing hundreds to thousands of null PATH records to
be associated with the init_module and finit_module SYSCALL records on a few
modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
In __audit_inode_child, return immedialy upon detecting TRACEFS and DEBUGFS
(and potentially other filesystems identified, via dentry->d_sb->s_magic).
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4db32e8..6050441 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1868,6 +1868,11 @@ void __audit_inode_child(struct inode *parent,
if (!context->in_syscall)
return;
+ switch (parent->i_sb->s_magic) {
+ case TRACEFS_MAGIC:
+ case DEBUGFS_MAGIC:
+ return;
+ }
if (inode)
handle_one(inode);
--
1.7.1
