Date: Thu, 4 Oct 2018 08:56:32 +0100 From: "Robert N. M. Watson" <rwatson@FreeBSD.org> To: Alan Somers <asomers@freebsd.org> Cc: Robert Watson <rwatson@freebsd.org>, src-committers <src-committers@freebsd.org>, svn-src-all <svn-src-all@freebsd.org>, svn-src-head <svn-src-head@freebsd.org> Subject: Re: svn commit: r339085 - head/sys/security/audit Message-ID: <E5E3F906-8A21-4BB0-B30B-5EFF939BB689@FreeBSD.org> In-Reply-To: <CAOtMX2iq7B=qRGCAsxJLDXuYAQYBS17NnDhRunfwyRu0LB8XuA@mail.gmail.com> References: <201810021558.w92FwHBp025418@repo.freebsd.org> <CAOtMX2iq7B=qRGCAsxJLDXuYAQYBS17NnDhRunfwyRu0LB8XuA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2 Oct 2018, at 18:15, Alan Somers <asomers@freebsd.org> wrote: >> 3. Remove a check of trail enablement/suspension from audit_new() -- >> at the point where this function has been entered, we believe that >> system-call auditing is already in force, or we wouldn't get here, >> so simply proceed to more expensive policy checks. >=20 > Did you check the logic around audit_proc_coredump too? I think this chan= ge will cause AUE_CORE events to be emitted even when auditing is disabled. This should be caught by audit_commit(), although it probably would be sligh= tly preferable for audit_proc_coredump() to have an explicit policy check ea= rlier, avoiding a memory allocation (but not a big deal). Robert=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E5E3F906-8A21-4BB0-B30B-5EFF939BB689>