[RFC PATCH v2 0/9] Add LSM access controls and auditing to io_uring
paul at paul-moore.com
Sun Aug 29 15:18:26 UTC 2021
On Sat, Aug 28, 2021 at 11:04 AM Richard Guy Briggs <rgb at redhat.com> wrote:
> I did set a syscall filter for
> -a exit,always -F arch=b64 -S io_uring_enter,io_uring_setup,io_uring_register -F key=iouringsyscall
> and that yielded some records with a couple of orphans that surprised me
> a bit.
Without looking too closely at the log you sent, you can expect URING
records without an associated SYSCALL record when the uring op is
being processed in the io-wq or sqpoll context. In the io-wq case the
processing is happening after the thread finished the syscall but
before the execution context returns to userspace and in the case of
sqpoll the processing is handled by a separate kernel thread with no
association to a process thread.
More information about the Linux-security-module-archive