Patchwork [3.8.y.z,extended,stable] Patch "audit: Syscall rules are not applied to existing processes on non-x86" has been added to staging queue

mail settings
Submitter Kamal Mostafa
Date May 22, 2013, 9:55 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/245754/
State New
Headers show


Kamal Mostafa - May 22, 2013, 9:55 p.m.
This is a note to let you know that I have just added a patch titled

    audit: Syscall rules are not applied to existing processes on non-x86

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.8.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see



From 80cd474b437ae3f8bbe232e3c9e138698847998c Mon Sep 17 00:00:00 2001
From: Anton Blanchard <>
Date: Wed, 9 Jan 2013 10:46:17 +1100
Subject: audit: Syscall rules are not applied to existing processes on non-x86

commit cdee3904b4ce7c03d1013ed6dd704b43ae7fc2e9 upstream.

Commit b05d8447e782 (audit: inline audit_syscall_entry to reduce
burden on archs) changed audit_syscall_entry to check for a dummy
context before calling __audit_syscall_entry. Unfortunately the dummy
context state is maintained in __audit_syscall_entry so once set it
never gets cleared, even if the audit rules change.

As a result, if there are no auditing rules when a process starts
then it will never be subject to any rules added later. x86 doesn't
see this because it has an assembly fast path that calls directly into

I noticed this issue when working on audit performance optimisations.
I wrote a set of simple test cases available at: fails without the patch and passes with it. The
test case clears all rules, starts a process, adds a rule then
verifies the process produces a syscall audit record.

Signed-off-by: Anton Blanchard <>
Signed-off-by: Eric Paris <>
Signed-off-by: Kamal Mostafa <>
 include/linux/audit.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)



diff --git a/include/linux/audit.h b/include/linux/audit.h
index 5a6d718..37464c5 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -120,7 +120,7 @@  static inline void audit_syscall_entry(int arch, int major, unsigned long a0,
 				       unsigned long a1, unsigned long a2,
 				       unsigned long a3)
-	if (unlikely(!audit_dummy_context()))
+	if (unlikely(current->audit_context))
 		__audit_syscall_entry(arch, major, a0, a1, a2, a3);
 static inline void audit_syscall_exit(void *pt_regs)