On Sat, 2014-02-08 at 13:06 -0800, Andy Lutomirski wrote:
> This toggles TIF_SYSCALL_AUDIT as needed when rules change instead
> of leaving it set whenever rules might be set in the future. This
> reduces syscall latency from >60ns to closer to 40ns on my laptop.
Al also politely reminded me it m
On Mon, 2014-02-10 at 12:04 -0800, Andy Lutomirski wrote:
> On Mon, Feb 10, 2014 at 11:12 AM, Steve Grubb wrote:
> 2. Do AVC denial messages still get logged if audit_enable == 0? If
> not, then audit_enable is a non-starter.
They go out printk/dmesg/syslog
--
To unsubscribe from this list: se
On Mon, 2014-02-10 at 11:01 -0800, Andy Lutomirski wrote:
> On Mon, Feb 10, 2014 at 9:29 AM, Andy Lutomirski wrote:
> > On Mon, Feb 10, 2014 at 8:57 AM, Oleg Nesterov wrote:
> >> On 02/08, Andy Lutomirski wrote:
> >>>
> >>> +void audit_inc_n_rules()
> >>> +{
> >>> + struct task_struct *p, *t;
On Mon, Feb 10, 2014 at 11:12 AM, Steve Grubb wrote:
> On Monday, February 10, 2014 11:01:36 AM Andy Lutomirski wrote:
>> >> And I still think this needs more changes. Once again, I do not think
>> >> that, say, __audit_log_bprm_fcaps() should populate context->aux if
>> >> !TIF_SYSCALL_AUDIT, thi
On Monday, February 10, 2014 11:01:36 AM Andy Lutomirski wrote:
> >> And I still think this needs more changes. Once again, I do not think
> >> that, say, __audit_log_bprm_fcaps() should populate context->aux if
> >> !TIF_SYSCALL_AUDIT, this list can grow indefinitely. Or
> >> __audit_signal_info()
On Mon, Feb 10, 2014 at 9:29 AM, Andy Lutomirski wrote:
> On Mon, Feb 10, 2014 at 8:57 AM, Oleg Nesterov wrote:
>> On 02/08, Andy Lutomirski wrote:
>>>
>>> +void audit_inc_n_rules()
>>> +{
>>> + struct task_struct *p, *t;
>>> +
>>> + read_lock(&tasklist_lock);
>>> + audit_n_rules++;
>
On Mon, Feb 10, 2014 at 9:47 AM, Steve Grubb wrote:
> On Monday, February 10, 2014 09:29:19 AM Andy Lutomirski wrote:
>> Grr. Why is all this crap tied up with syscall auditing anyway? ISTM
>> it would have been a lot nicer if audit calls just immediately emitted
>> audit records, completely ind
On Monday, February 10, 2014 09:29:19 AM Andy Lutomirski wrote:
> Grr. Why is all this crap tied up with syscall auditing anyway? ISTM
> it would have been a lot nicer if audit calls just immediately emitted
> audit records, completely independently of the syscall machinery.
Because the majority
On Mon, Feb 10, 2014 at 8:57 AM, Oleg Nesterov wrote:
> On 02/08, Andy Lutomirski wrote:
>>
>> +void audit_inc_n_rules()
>> +{
>> + struct task_struct *p, *t;
>> +
>> + read_lock(&tasklist_lock);
>> + audit_n_rules++;
>> + smp_wmb();
>> + if (audit_n_rules == 1) {
>> +
On 02/08, Andy Lutomirski wrote:
>
> +void audit_inc_n_rules()
> +{
> + struct task_struct *p, *t;
> +
> + read_lock(&tasklist_lock);
> + audit_n_rules++;
> + smp_wmb();
> + if (audit_n_rules == 1) {
> + /*
> + * We now have a rule; we need to hook sysca
10 matches
Mail list logo
