From: Steve Grubb <sgrubb@redhat.com>

On Thursday 23 March 2006 09:08, John D. Ramsdell wrote:
>  I noticed that a socketcall(bind) and socketcall(connect) event contain a
>  record of type=SOCKADDR, but I cannot see one for a system call event
>  associated with socketcall(accept).  Recording the sockaddr of an accepted
>  socket is important for cross platform information flow analys

Thanks for pointing this out. The following patch should address this.

Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 net/socket.c |    2 ++
 1 files changed, 2 insertions(+)

diff -puN net/socket.c~audit-sockaddr-patch net/socket.c
--- devel/net/socket.c~audit-sockaddr-patch	2006-04-17 21:40:27.000000000 -0700
+++ devel-akpm/net/socket.c	2006-04-17 21:40:27.000000000 -0700
@@ -267,6 +267,8 @@ int move_addr_to_user(void *kaddr, int k
 		return -EINVAL;
 	if(len)
 	{
+		if (audit_sockaddr(klen, kaddr))
+			return -ENOMEM;
 		if(copy_to_user(uaddr,kaddr,len))
 			return -EFAULT;
 	}
_