On 8/18/2021 5:56 PM, Casey Schaufler wrote: > On 8/18/2021 5:47 PM, Paul Moore wrote: >> ... >> I just spent a few minutes tracing the code paths up from audit >> through netlink and then through the socket layer and I'm not seeing >> anything obvious where the path differs from any other syscall; >> current->audit_context *should* be valid just like any other syscall. >> However, I do have to ask, are you only seeing these audit records >> with a current->audit_context equal to NULL during early boot? > Nope. Sorry. It looks as if all of the NULL audit_context cases are for either auditd or systemd. Given what the events are, this isn't especially surprising.