From: Richard Guy Briggs <rgb@redhat.com>
Date: Thu, 31 May 2018 20:28:12 +0000 (-0400)
Subject: audit: tie ANOM_ABEND records to syscall
X-Git-Tag: v4.19-rc1~147^2~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d87de4a878e110d0061fb22726d37a54a281285d;p=thirdparty%2Flinux.git

audit: tie ANOM_ABEND records to syscall

Since core dump events are triggered by user activity, tie the
ANOM_ABEND record to the syscall record to collect all records from the
same event.

See: https://github.com/linux-audit/audit-kernel/issues/88

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
---

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fefb9e215cd0b..5f0bd5ece578e 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2461,7 +2461,7 @@ void audit_core_dumps(long signr)
 	if (signr == SIGQUIT)	/* don't care for those */
 		return;
 
-	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_ANOM_ABEND);
+	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_ANOM_ABEND);
 	if (unlikely(!ab))
 		return;
 	audit_log_task(ab);