On Monday 06 March 2006 10:32, Jason Baron wrote:
The idea behind this patch is based on a suggestion to not call
'audit_syscall_entry' and 'audit_syscall_exit' if there are no audit
rules
loaded.
We are starting to get problem reports with this patch. It appears that
nothing sets ctime when the event is started via an avc. The patch below
takes a stab at fixing this. Does it look correct?
-Steve
diff -urp linux-2.6.15.x86_64.orig/kernel/auditsc.c linux-2.6.15.x86_64/kernel/auditsc.c
--- linux-2.6.15.x86_64.orig/kernel/auditsc.c 2006-03-15 09:09:25.000000000 -0500
+++ linux-2.6.15.x86_64/kernel/auditsc.c 2006-03-15 09:07:22.000000000 -0500
@@ -1136,6 +1136,8 @@ void auditsc_get_stamp(struct audit_cont
{
if (!ctx->serial)
ctx->serial = audit_serial();
+ if (!ctx->ctime.tv_sec)
+ ctx->ctime = CURRENT_TIME;
t->tv_sec = ctx->ctime.tv_sec;
t->tv_nsec = ctx->ctime.tv_nsec;
*serial = ctx->serial;