[PATCH ALT5] audit: ignore module syscalls on inode child
Tracefs or debugfs were causing hundreds to thousands of null PATH records to be associated with the init_module and finit_module SYSCALL records on a few modules when the following rule was in place for startup: -a always,exit -F arch=x86_64 -S init_module -F key=mod-load In __audit_inode_child, return immedialy upon detecting module-related syscalls. See https://github.com/linux-audit/audit-kernel/issues/8 Test case: https://github.com/linux-audit/audit-testsuite/issues/42 Signed-off-by: Richard Guy Briggs--- kernel/auditsc.c |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4db32e8..d7fe943 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1868,6 +1868,12 @@ void __audit_inode_child(struct inode *parent, if (!context->in_syscall) return; + switch (context->major) { + case __NR_init_module: + case __NR_delete_module: + case __NR_finit_module: + return; + } if (inode) handle_one(inode); -- 1.7.1
[PATCH ALT5] audit: ignore module syscalls on inode child
Tracefs or debugfs were causing hundreds to thousands of null PATH records to be associated with the init_module and finit_module SYSCALL records on a few modules when the following rule was in place for startup: -a always,exit -F arch=x86_64 -S init_module -F key=mod-load In __audit_inode_child, return immedialy upon detecting module-related syscalls. See https://github.com/linux-audit/audit-kernel/issues/8 Test case: https://github.com/linux-audit/audit-testsuite/issues/42 Signed-off-by: Richard Guy Briggs --- kernel/auditsc.c |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 4db32e8..d7fe943 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1868,6 +1868,12 @@ void __audit_inode_child(struct inode *parent, if (!context->in_syscall) return; + switch (context->major) { + case __NR_init_module: + case __NR_delete_module: + case __NR_finit_module: + return; + } if (inode) handle_one(inode); -- 1.7.1