AFAICS the main use of syscall auditing is to get syscall
information for syscalls that are already causing another audit
message.
We don't need any of the fancy syscall auditing machinery for that,
though: we can just log this information directly. This should have
essentially no overhead and
I've made no secret of the fact that I dislike syscall auditing. As far
as I can tell, the main technical (i.e. not compliance-related) use of
syscall auditing is to supply some useful context information to go
along with events like AVC denials.
CONFIG_AUDITSYSCALL is serious overkill to do
syscall_in_syscall will return true if we're in a real syscall and
will return false if we're not in a syscall. If we're in a bad
syscall, the return value can vary.
The idea is to use this to come up with a much simpler replacement
for syscall auditing.
Signed-off-by: Andy Lutomirski
On May 30, 2014 2:58 PM, Andy Lutomirski l...@amacapital.net wrote:
syscall_in_syscall will return true if we're in a real syscall and
will return false if we're not in a syscall. If we're in a bad
syscall, the return value can vary.
The idea is to use this to come up with a much simpler
On 05/29/2014 01:31 AM, Tyler Hicks wrote:
I'm surprised that this patch makes ausearch work correctly for AppArmor
AVC events. The first thing that parse_avc() does is look for the
avc: term in the AVCs that SELinux generates. AppArmor's AVCs don't
include that string, so an.avc_result and