[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

syscall filtering on personality



I have a question about how to filter on personality.

>From /usr/include/linux/personality.h I see:
PER_LINUX = 0x0000,
PER_LINUX_32BIT = 0x0000 | ADDR_LIMIT_32BIT,
PER_LINUX32 = 0x0008,
PER_LINUX32_3GB = 0x0008 | ADDR_LIMIT_3GB,

So if I want to audit a particular syscall, chmod for example, in a 32bit executable, is this the correct usage?:
"auditctl -a exit,always -S chmod -F pers=0x0008"

I've created a simple test that executes the __NR_chmod syscall and compiled it 32bit
(out put from "file":
ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped")

When I add the above rule, it is accepted by auditctl and is listed as:
"AUDIT_LIST: exit always pers=8 (0x8) syscall=chmod"
But I do not see any audit records generated.

Also, if I add the rule
"auditctl -a exit,always -S chmod -F pers=0x0000"
It is accepted by auditctl and is listed as:
"AUDIT_LIST: exit always pers=0 syscall=chmod"
And I do see audit records generated in /var/log/messages. Note: "pers" is not displayed in the record.

I wasn't sure if 0x0008 was the correct value to capture syscalls compiled in 32bit mode. So I tried this auditctl filter next:
"auditctl -a exit,always -S chmod -F pers!=0x0000"
It is accepted by auditctl and is listed as:
"AUDIT_LIST: exit always pers!=0 syscall=chmod"
Again, no audit records are generated.


In the same personality.h, I found:
ADDR_LIMIT_32BIT = 0x0800000,

So I also tried:
"auditctl -a exit,always -S chmod -F pers=0x0800000"
It is accepted by auditctl and is listed as:
AUDIT_LIST: exit always pers=8388608 (0x800000) syscall=chmod
But again, I don't see any audit records generated.

-debbie






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]