Rework the logic around quick checks for auditing that take place at system-call entry and whenever audit arguments or return values are captured: 1. Expose a single global, audit_syscalls_enabled, which controls whether the audit framework is entered, rather than exposing components of the policy -- e.g., if the trail is enabled, suspended, etc. 2. Introduce a new function audit_syscalls_enabled_update(), which is called to update audit_syscalls_enabled whenever an aspect of the policy changes, so that the value can be updated. 3. Remove a check of trail enablement/suspension from audit_new() -- at the point where this function has been entered, we believe that system-call auditing is already in force, or we wouldn't get here, so simply proceed to more expensive policy checks. 4. Use an audit-provided global, audit_dtrace_enabled, rather than a dtaudit-provided global, to provide policy indicating whether dtaudit would like system calls to be audited. 5. Do some minor cosmetic renaming to clarify what various variables are for. These changes collectively arrange it so that traditional audit (trail, pipes) or the DTrace audit provider can enable system-call probes without the other configured. Otherwise, dtaudit cannot capture system-call data without auditd(8) started.
- Group Reviewers
- rS339085: Rework the logic around quick checks for auditing that take place at
Tested by Graeme Jenkinson (Cambridge) and myself with the DTrace audit
|395 ↗||(On Diff #48553)|
I don't think you can remove this check unless you add similar logic to audit_proc_coredump. Otherwise it will generate AUE_CORE records even when auditing is disabled.
|154 ↗||(On Diff #48553)|
I don't think you need to document this. There's plenty of stuff that's been removed over the years.