Skip to content

Commit d4fefa4

Browse files
rgbriggspcmoore
authored andcommitted
audit: move audit_return_fixup before the filters
The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: [email protected] Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <[email protected]> [PM: manual merge required] Signed-off-by: Paul Moore <[email protected]>
1 parent ad982c3 commit d4fefa4

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

kernel/auditsc.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1940,6 +1940,7 @@ void __audit_uring_exit(int success, long code)
19401940
goto out;
19411941
}
19421942

1943+
audit_return_fixup(ctx, success, code);
19431944
if (ctx->context == AUDIT_CTX_SYSCALL) {
19441945
/*
19451946
* NOTE: See the note in __audit_uring_entry() about the case
@@ -1981,7 +1982,6 @@ void __audit_uring_exit(int success, long code)
19811982
audit_filter_inodes(current, ctx);
19821983
if (ctx->current_state != AUDIT_STATE_RECORD)
19831984
goto out;
1984-
audit_return_fixup(ctx, success, code);
19851985
audit_log_exit();
19861986

19871987
out:
@@ -2065,13 +2065,13 @@ void __audit_syscall_exit(int success, long return_code)
20652065
if (!list_empty(&context->killed_trees))
20662066
audit_kill_trees(context);
20672067

2068+
audit_return_fixup(context, success, return_code);
20682069
/* run through both filters to ensure we set the filterkey properly */
20692070
audit_filter_syscall(current, context);
20702071
audit_filter_inodes(current, context);
20712072
if (context->current_state < AUDIT_STATE_RECORD)
20722073
goto out;
20732074

2074-
audit_return_fixup(context, success, return_code);
20752075
audit_log_exit();
20762076

20772077
out:

0 commit comments

Comments
 (0)