In auditctl, if rule only has perms, detect hardware to filter syscalls

stevegrubb · stevegrubb · commit 2f329f4548cb · 2025-08-15T11:54:57.000-04:00
diff --git a/ChangeLog b/ChangeLog
@@ -6,6 +6,7 @@
 - Drop IPX header handling and require kernel 5.15 or later
 - Resolved a number of FIXME's all over the code base
 - Optimize ausearch/report log processing
+- In auditctl, if rule only has perms, detect hardware to filter syscalls
 
 4.1.1
 - Add libauplugin example program and improve its documentation
diff --git a/lib/libaudit.c b/lib/libaudit.c
@@ -1581,8 +1581,13 @@ static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)
 	// arch declared, we leave the old behavior for backwards compatibility
 	// and just warn about performance.
 	if (_audit_elf == 0) {
-		audit_msg(LOG_INFO, "perm used without an arch is slower");
-		return 0;
+		int machine = audit_detect_machine();
+		if (machine < 0) {
+			audit_msg(LOG_INFO,
+				  "perm used without an arch is slower");
+			return 0;
+		}
+		_audit_elf = audit_machine_to_elf(machine);
 	}
 
 	const int machine = audit_elf_to_machine(_audit_elf);
