Tracefs or debugfs were causing hundreds to thousands of null PATH records to
be associated with the init_module and finit_module SYSCALL records on a few
modules when the following rule was in place for startup:
-a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Don't create those records when the parent is not found in
that task context's audit names_list.
See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42
Signed-off-by: Richard Guy Briggs <r...@redhat.com>
---
kernel/auditsc.c | 20 +++++++-------------
1 files changed, 7 insertions(+), 13 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4db32e8..83eb3bc 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1889,6 +1889,10 @@ void __audit_inode_child(struct inode *parent,
}
}
+ if (!found_parent)
+ /* Don't track if parent is "anonymous" */
+ return;
+
/* is there a matching child entry? */
list_for_each_entry(n, &context->names_list, list) {
/* can only match entries that have a name */
@@ -1908,14 +1912,6 @@ void __audit_inode_child(struct inode *parent,
}
}
- if (!found_parent) {
- /* create a new, "anonymous" parent record */
- n = audit_alloc_name(context, AUDIT_TYPE_PARENT);
- if (!n)
- return;
- audit_copy_inode(n, NULL, parent);
- }
-
if (!found_child) {
found_child = audit_alloc_name(context, type);
if (!found_child)
@@ -1924,11 +1920,9 @@ void __audit_inode_child(struct inode *parent,
/* Re-use the name belonging to the slot for a matching parent
* directory. All names for this context are relinquished in
* audit_free_names() */
- if (found_parent) {
- found_child->name = found_parent->name;
- found_child->name_len = AUDIT_NAME_FULL;
- found_child->name->refcnt++;
- }
+ found_child->name = found_parent->name;
+ found_child->name_len = AUDIT_NAME_FULL;
+ found_child->name->refcnt++;
}
if (inode)
--
1.7.1
