Hi Eric,
I don't think this works at all. I don't see how syscall audit'ing can
work. What if I have nothing in the AUDIT_FILTER_TASK list but I want
to audit all 'open(2)' syscalls? This patch is going to leave the task
in the DISABLED state and we won't ever be able to match on the
- Eric Paris epa...@redhat.com wrote:
Add a new spot in the assembly which will call a function which will
check if audit_n_rules 0 and if so will set TIF_SYSCALL_AUDIT and if
not will clear TIF_SYSCALL_AUDIT? It might make things slightly worse
on systems which explictly disable audit
On Tue, 2010-08-24 at 15:56 +1000, Michael Neuling wrote:
On reflection, we might have a bug in audit_alloc though. Currently we
have this:
int audit_alloc(struct task_struct *tsk)
{
snip
state = audit_filter_task(tsk, key);
if (likely(state ==