[PATCH v28 22/25] Audit: Add record for multiple process LSM attributes
Casey Schaufler
casey at schaufler-ca.com
Thu Aug 19 22:41:00 UTC 2021
On 8/18/2021 5:56 PM, Casey Schaufler wrote:
> On 8/18/2021 5:47 PM, Paul Moore wrote:
>> ...
>> I just spent a few minutes tracing the code paths up from audit
>> through netlink and then through the socket layer and I'm not seeing
>> anything obvious where the path differs from any other syscall;
>> current->audit_context *should* be valid just like any other syscall.
>> However, I do have to ask, are you only seeing these audit records
>> with a current->audit_context equal to NULL during early boot?
> Nope. Sorry.
It looks as if all of the NULL audit_context cases are for either
auditd or systemd. Given what the events are, this isn't especially
surprising.
More information about the Linux-security-module-archive
mailing list