Tracefs or debugfs were causing hundreds to thousands of null PATH records to be associated with the init_module and finit_module SYSCALL records on a few modules when the following rule was in place for startup: -a always,exit -F arch=x86_64 -S init_module -F key=mod-load
Don't create those records when the parent is not found in that task context's audit names_list. See https://github.com/linux-audit/audit-kernel/issues/8 Test case: https://github.com/linux-audit/audit-testsuite/issues/42 Signed-off-by: Richard Guy Briggs <r...@redhat.com> --- kernel/auditsc.c | 20 +++++++------------- 1 files changed, 7 insertions(+), 13 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4db32e8..83eb3bc 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1889,6 +1889,10 @@ void __audit_inode_child(struct inode *parent, } } + if (!found_parent) + /* Don't track if parent is "anonymous" */ + return; + /* is there a matching child entry? */ list_for_each_entry(n, &context->names_list, list) { /* can only match entries that have a name */ @@ -1908,14 +1912,6 @@ void __audit_inode_child(struct inode *parent, } } - if (!found_parent) { - /* create a new, "anonymous" parent record */ - n = audit_alloc_name(context, AUDIT_TYPE_PARENT); - if (!n) - return; - audit_copy_inode(n, NULL, parent); - } - if (!found_child) { found_child = audit_alloc_name(context, type); if (!found_child) @@ -1924,11 +1920,9 @@ void __audit_inode_child(struct inode *parent, /* Re-use the name belonging to the slot for a matching parent * directory. All names for this context are relinquished in * audit_free_names() */ - if (found_parent) { - found_child->name = found_parent->name; - found_child->name_len = AUDIT_NAME_FULL; - found_child->name->refcnt++; - } + found_child->name = found_parent->name; + found_child->name_len = AUDIT_NAME_FULL; + found_child->name->refcnt++; } if (inode) -- 1.7.1