Chapter 19: Auditing
{
...
context->arch = arch;
context->major = major;
context->argv[0] = a1;
context->argv[1] = a2;
context->argv[2] = a3;
context->argv[3] = a4;
...
}Depending on the audit mode of the process, filtering needs to be applied by usingaudit_filter_list,
which applies all appropriate filters registered in the kernel as follows:kernel/auditsc.c
state = context->state;
if (!context->dummy && (state == AUDIT_SETUP_CONTEXT || state == AUDIT_BUILD_CONTEXT))
state = audit_filter_syscall(tsk, context, &audit_filter_list[AUDIT_FILTER_ENTRY]);
if (likely(state == AUDIT_DISABLED))
return;
context->serial = 0;
context->ctime = CURRENT_TIME;
context->in_syscall = 1;
context->auditable = !!(state == AUDIT_RECORD_CONTEXT);
}
Note thatcontext->dummyis set if auditing is enabled, but no audit rules are defined. In this case, filtering
is obviously unnecessary.audit_syscall_exitaudit_log_exitActivate context of previous syscallaudit_free_namesaudit_free_auxYesNoNested system call?Figure 19-9: Code flow diagram foraudit_syscall_exit.Let us now turn our attention to how system call exits are handled. The code flow diagram for
audit_syscall_exitis shown in Figure 19-9. The most important part is the call toaudit_log_exit,
which (among other things) creates an audit record for the information contained in the audit context
as follows:kernel/auditsc.c
static void audit_log_exit(struct audit_context *context, struct task_struct *tsk)
#{
audit_log_format(ab, "arch=%x syscall=%d",
context->arch, context->major);
...
if (context->return_valid)