From: Richard Guy Briggs <rgb@redhat.com>
To: linux-kernel@vger.kernel.org, linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>, Jessica Yu <jeyu@redhat.com>,
        Steven Rostedt <rostedt@goodmis.org>, Ingo Molnar <mingo@redhat.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Al Viro <viro@zeniv.linux.org.uk>, Eric Paris <eparis@redhat.com>,
        Paul Moore <pmoore@redhat.com>, Steve Grubb <sgrubb@redhat.com>
Subject: [PATCH ALT5] audit: ignore module syscalls on inode child
Date: Fri,  3 Mar 2017 17:24:37 -0500
Message-Id: <ed65d1af63c9af8c27e30f35d8169deef263bd80.1488576693.git.rgb@redhat.com>
In-Reply-To: <20170303211454.GK3818@madcap2.tricolour.ca>
References: <20170303211454.GK3818@madcap2.tricolour.ca>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1026
Lines: 36

Tracefs or debugfs were causing hundreds to thousands of null PATH
records to be associated with the init_module and finit_module SYSCALL
records on a few modules when the following rule was in place for
startup:
	-a always,exit -F arch=x86_64 -S init_module -F key=mod-load

In __audit_inode_child, return immedialy upon detecting module-related
syscalls.

See https://github.com/linux-audit/audit-kernel/issues/8
Test case: https://github.com/linux-audit/audit-testsuite/issues/42

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 kernel/auditsc.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 4db32e8..d7fe943 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1868,6 +1868,12 @@ void __audit_inode_child(struct inode *parent,
 
 	if (!context->in_syscall)
 		return;
+	switch (context->major) {
+	case __NR_init_module:
+	case __NR_delete_module:
+	case __NR_finit_module:
+		return;
+	}
 
 	if (inode)
 		handle_one(inode);
-- 
1.7.1