On Fri, May 10, 2019 at 12:22 PM Richard Guy Briggs <rgb(a)redhat.com> wrote:
When a process signals the audit daemon (shutdown, rotate, resume,
reconfig) but syscall auditing is not enabled, we still want to know the
identity of the process sending the signal to the audit daemon.
Move audit_signal_info() out of syscall auditing to general auditing but
create a new function audit_signal_info_syscall() to take care of the
syscall dependent parts for when syscall auditing is enabled.
Please see the github kernel audit issue
https://github.com/linux-audit/audit-kernel/issues/111
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
Changelog:
v2:
- change patch title to avoid siginfo_t confusion
- change return value to "0" from AUDIT_OFF
- use dummy functions instead of macros in header files
Compile/boot/test auditsyscall enable/disable, audit disable,
auditsyscall enable/selinux disable.
include/linux/audit.h | 9 +++++++++
kernel/audit.c | 27 +++++++++++++++++++++++++++
kernel/audit.h | 8 ++++++--
kernel/auditsc.c | 19 +++----------------
kernel/signal.c | 2 +-
5 files changed, 46 insertions(+), 19 deletions(-)