On Wed, 2010-08-25 at 13:11 +1000, Michael Neuling wrote:
BTW, do you think we can do this in audit_syscall_exit() too?
No, I don't think that is safe, consider the case where we remove the
last rule while this task was inside a syscall. It may have information
stored which is supposed to get
Hi Eric,
Here's another approach Mikey and I were discussing. We allocate the
tsk-audit_context as before, but we avoid setting the TIF_SYSCALL_AUDIT until
the first rule gets added.
We could look at clearing the flag when the rules go back to zero, but this
simple patch covers the most common
Hi Eric,
I don't think this works at all. I don't see how syscall audit'ing can
work. What if I have nothing in the AUDIT_FILTER_TASK list but I want
to audit all 'open(2)' syscalls? This patch is going to leave the task
in the DISABLED state and we won't ever be able to match on the
- Eric Paris epa...@redhat.com wrote:
Add a new spot in the assembly which will call a function which will
check if audit_n_rules 0 and if so will set TIF_SYSCALL_AUDIT and if
not will clear TIF_SYSCALL_AUDIT? It might make things slightly worse
on systems which explictly disable audit
On Tue, 2010-08-24 at 15:56 +1000, Michael Neuling wrote:
On reflection, we might have a bug in audit_alloc though. Currently we
have this:
int audit_alloc(struct task_struct *tsk)
{
snip
state = audit_filter_task(tsk, key);
if (likely(state ==
On Fri, 2010-08-20 at 12:13 +1000, Michael Neuling wrote:
We found that when auditing is disabled using auditctl -D, that
there's still a significant overhead when doing syscalls. This overhead
is not present when a single never rule is inserted using auditctl -a
task,never.
Using
On Tue, 2010-08-24 at 12:11 +1000, Michael Neuling wrote:
In message 1282586177.2681.43.ca...@localhost.localdomain you wrote:
On Fri, 2010-08-20 at 12:13 +1000, Michael Neuling wrote:
We found that when auditing is disabled using auditctl -D, that
there's still a significant overhead
On Tue, 2010-08-24 at 12:16 +1000, Anton Blanchard wrote:
Hi Eric,
I don't think this works at all. I don't see how syscall audit'ing can
work. What if I have nothing in the AUDIT_FILTER_TASK list but I want
to audit all 'open(2)' syscalls? This patch is going to leave the task
in