BUG: accompanying records missing for requried records when no rules present

[rgbriggs]

When there are no audit rules registered, mandatory records (config, etc.) are missing their accompanying records (syscall, proctitle, etc.).

This is due to audit context dummy set on syscall entry based on absence of rules that signals that no other records are to be printed.

[rgbriggs]

Post v1.0
https://www.redhat.com/archives/linux-audit/2020-February/msg00061.html
https://lkml.org/lkml/2020/2/18/1087

[rgbriggs]

post v2:
https://www.redhat.com/archives/linux-audit/2020-March/msg00026.html
https://lkml.org/lkml/2020/3/10/970

[rgbriggs]

Upstreamed 2020-03-12 for 5.6-rc1 1320a40

[rgbriggs]

NULL pointer dereference reported by bauen1:

• https://lore.kernel.org/linux-audit/4bee5a4a-cb1b-6db7-6c41-fb5221b5363c@gmail.com/T/#t
• https://www.redhat.com/archives/linux-audit/2020-July/msg00079.html

Reproducer:

• echo "(auditallow systemd_logind_t file_type (dir (all)))" > mytest.cil && sudo semodule -i mytest.cil
• clear all rules in /etc/audit/audit.rules and /etc/audit/rules.d/
• reboot

Mitigated by: ghak96
commit d7481b2 ("audit: issue CWD record to accompany LSM_AUDIT_DATA_* records")

Code audit still needed to check all other records generated from audit_log_exit().

[rgbriggs]

Post v3fix:
https://www.redhat.com/archives/linux-audit/2020-July/msg00132.html
https://lkml.org/lkml/2020/7/27/1692

[rgbriggs]

v2 reverted from audit/stable-5.8 and audit-pr-20200729
https://www.redhat.com/archives/linux-audit/2020-July/msg00144.html
8ac68dc revert: 1320a40 ("audit: trigger accompanying records when no rules present")
https://www.redhat.com/archives/linux-audit/2020-July/msg00170.html

[rgbriggs]

post v4:
https://www.redhat.com/archives/linux-audit/2020-September/msg00041.html
https://patchwork.kernel.org/patch/11768033