[3.8.y.z,extended,stable] Patch "audit: Syscall rules are not applied to existing processes on non-x86" has been added to staging queue

Message ID 1369259719-23998-1-git-send-email-kamal@canonical.com
State New
Headers show

Commit Message

Kamal Mostafa May 22, 2013, 9:55 p.m.
This is a note to let you know that I have just added a patch titled

    audit: Syscall rules are not applied to existing processes on non-x86

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:


If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see



From 80cd474b437ae3f8bbe232e3c9e138698847998c Mon Sep 17 00:00:00 2001
From: Anton Blanchard <anton@samba.org>
Date: Wed, 9 Jan 2013 10:46:17 +1100
Subject: audit: Syscall rules are not applied to existing processes on non-x86

commit cdee3904b4ce7c03d1013ed6dd704b43ae7fc2e9 upstream.

Commit b05d8447e782 (audit: inline audit_syscall_entry to reduce
burden on archs) changed audit_syscall_entry to check for a dummy
context before calling __audit_syscall_entry. Unfortunately the dummy
context state is maintained in __audit_syscall_entry so once set it
never gets cleared, even if the audit rules change.

As a result, if there are no auditing rules when a process starts
then it will never be subject to any rules added later. x86 doesn't
see this because it has an assembly fast path that calls directly into

I noticed this issue when working on audit performance optimisations.
I wrote a set of simple test cases available at:


02_new_rule.py fails without the patch and passes with it. The
test case clears all rules, starts a process, adds a rule then
verifies the process produces a syscall audit record.

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
 include/linux/audit.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)



diff --git a/include/linux/audit.h b/include/linux/audit.h
index 5a6d718..37464c5 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -120,7 +120,7 @@  static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
 				       unsigned long a1, unsigned long a2,
 				       unsigned long a3)
-	if (unlikely(!audit_dummy_context()))
+	if (unlikely(current->audit_context))
 		__audit_syscall_entry(arch, major, a0, a1, a2, a3);
 static inline void audit_syscall_exit(void *pt_regs)