On 2 Oct 2018, at 18:15, Alan Somers <[email protected]> wrote: >> 3. Remove a check of trail enablement/suspension from audit_new() -- >> at the point where this function has been entered, we believe that >> system-call auditing is already in force, or we wouldn't get here, >> so simply proceed to more expensive policy checks. > > Did you check the logic around audit_proc_coredump too? I think this change > will cause AUE_CORE events to be emitted even when auditing is disabled.
This should be caught by audit_commit(), although it probably would be slightly preferable for audit_proc_coredump() to have an explicit policy check earlier, avoiding a memory allocation (but not a big deal). Robert _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
