rule.Rule.Build: Don't assume that no syscalls means all syscalls

Rule.Build assumes that if no syscalls are specified they all are set. This is really only the case when the exit list is used since the syscall numbers aren't available in the other lists. When we assume that all of the syscalls are enabled, we end up generating wireformat rules for e.g. 'task,never' that have all of the syscall bits set. That doesn't match what is already used when 'auditctl -a task,never' is used. It may be ignored by the kernel when such a rule is added, but it would cause problems when that rule is deleted.
elastic · Sep 8, 2023 · 95acdd8 · 95acdd8
1 parent d7bead3
commit 95acdd8
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/rule/rule.go b/rule/rule.go
@@ -41,14 +41,22 @@ const (
 
 // Build builds an audit rule.
 func Build(rule Rule) (WireFormat, error) {
-	data := &ruleData{allSyscalls: true}
+	data := &ruleData{}
 	var err error
 
 	switch v := rule.(type) {
 	case *SyscallRule:
 		if err = data.setList(v.List); err != nil {
 			return nil, err
 		}
+
+		// While it's possible to set syscalls on lists other than the 'exit' list
+		// they don't actually do anything since the syscall information isn't
+		// available at that time.  Don't assume that all syscalls are enabled.
+		if data.flags == exitFilter {
+			data.allSyscalls = true
+		}
+
 		if err = data.setAction(v.Action); err != nil {
 			return nil, err
 		}