In AUDIT_SYSCALL_EXIT(), invoke audit_syscall_exit() only if an audit

record is active on the current thread--historically we may always have wanted to enter the audit code if auditing was enabled, but now we just commit the audit record so don't need to enter if there isn't one. Obtained from: TrustedBSD Project Sponsored by: Apple, Inc.
author: rwatson <rwatson@FreeBSD.org> 2009-01-06 13:59:59 +0000
committer: rwatson <rwatson@FreeBSD.org> 2009-01-06 13:59:59 +0000
commit: 2ea343a85ea84bdc751578929975c2bb96cc70a5 (patch)
tree: 9aee79899f1b774267d8b48a8b1bf531aa968dfc /sys/security
parent: fcaf24fb5440688bbd3997b83b242330459a542a (diff)
download: FreeBSD-src-2ea343a85ea84bdc751578929975c2bb96cc70a5.zip
FreeBSD-src-2ea343a85ea84bdc751578929975c2bb96cc70a5.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/security/audit/audit.h b/sys/security/audit/audit.h
index 14dbcfd..227d2dc 100644
--- a/sys/security/audit/audit.h
+++ b/sys/security/audit/audit.h
@@ -198,11 +198,11 @@ void	 audit_thread_free(struct thread *td);
 
 /*
  * Wrap the audit_syscall_exit() function so that it is called only when
- * auditing is enabled, or we have a audit record on the thread.  It is
- * possible that an audit record was begun before auditing was turned off.
+ * we have a audit record on the thread.  Audit records can persist after
+ * auditing is disabled, so we don't just check audit_enabled here.
  */
 #define	AUDIT_SYSCALL_EXIT(error, td)	do {				\
-	if (audit_enabled || (td->td_ar != NULL))			\
+	if (td->td_ar != NULL)						\
 		audit_syscall_exit(error, td);				\
 } while (0)
author	rwatson <rwatson@FreeBSD.org>	2009-01-06 13:59:59 +0000
committer	rwatson <rwatson@FreeBSD.org>	2009-01-06 13:59:59 +0000
commit	2ea343a85ea84bdc751578929975c2bb96cc70a5 (patch)
tree	9aee79899f1b774267d8b48a8b1bf531aa968dfc /sys/security
parent	fcaf24fb5440688bbd3997b83b242330459a542a (diff)
download	FreeBSD-src-2ea343a85ea84bdc751578929975c2bb96cc70a5.zip FreeBSD-src-2ea343a85ea84bdc751578929975c2bb96cc70a5.tar.gz