On 8/16/2021 11:57 AM, Paul Moore wrote: > On Fri, Aug 13, 2021 at 5:47 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: >> On 8/13/2021 1:43 PM, Paul Moore wrote: ... > Yeah, the thought occurred to me, but we are clearly already in the > maybe-the-assumptions-are-wrong stage so I'm not going to rely on that > being 100%. We definitely need to track this down before we start > making to many more guesses about what is working and what is not. I've been tracking down where the audit context isn't set where we'd expect it to be, I've identified 5 cases: 1000 AUDIT_GET - Get Status 1001 AUDIT_SET - Set status enable/disable/auditd 1010 AUDIT_SIGNAL_INFO 1130 AUDIT_SERVICE_START 1131 AUDIT_SEVICE_STOP These are all events that relate to the audit system itself. It seems plausible that these really aren't syscalls and hence shouldn't be expected to have an audit_context. I will create a patch that treats these as the special cases I believe them to be.
