audit: tie ANOM_ABEND records to syscall

Since core dump events are triggered by user activity, tie the ANOM_ABEND record to the syscall record to collect all records from the same event. See: https://github.com/linux-audit/audit-kernel/issues/88Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>

audit: tie ANOM_ABEND records to syscall
Since core dump events are triggered by user activity, tie the ANOM_ABEND record to the syscall record to collect all records from the same event. See: https://github.com/linux-audit/audit-kernel/issues/88Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
d87de4a8 · Richard Guy Briggs · Paul Moore · 9b8753ff · d87de4a8
Commit d87de4a8 authored May 31, 2018 by Richard Guy Briggs Committed by Paul Moore Jun 19, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

kernel/auditsc.c kernel/auditsc.c +1 -1

No files found.
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2461,7 +2461,7 @@ void audit_core_dumps(long signr)
 	if (signr == SIGQUIT)	/* don't care for those */
 		return;

-	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
 	if (unlikely(!ab))
 		return;
 	audit_log_task(ab);