On 09/13, Steve Grubb wrote:
On Sunday, September 08, 2013 05:54:35 PM Oleg Nesterov wrote:
>
> Then why audit_alloc() doesn't set TIF_SYSCALL_AUDIT unconditionally?
The code I'm looking at does right at the end of the function.
The code I'm looking at does right at the end too ;) but it also
returns at the start if audit_filter_task() returns AUDIT_DISABLED.
> And I do not understand "when context == NULL" above.
Say,
> audit_syscall_entry() does nothing if !audit_context, and nobody except
> copy_process() does audit_alloc(). So why do we need to trigger the audit's
> paths if it is NULL?
Because if you enter the audit framework,
framework? TIF_SYSCALL_AUDIT has only meaning in entry.S, we need it
to ensure that the audited task can't miss audit_syscall_*().
that means auditing has been turned
on at some point in the past, and could be turned back on at some point in the
future.
And this will change nothing, afaics (wrt TIF_SYSCALL_AUDIT).
Oleg.