audit: tie SECCOMP records to syscall

Since seccomp events are triggered by user activity, tie the SECCOMP
record to the syscall record to collect all records from the same event.

See: https://github.com/linux-audit/audit-kernel/issues/87

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ceb1c45..fefb9e2 100644 (file)
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2485,7 +2485,7 @@ void audit_seccomp(unsigned long syscall, long signr, int code)
 {
        struct audit_buffer *ab;
 
-       ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP);
+       ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_SECCOMP);
        if (unlikely(!ab))
                return;
        audit_log_task(ab);