type=SOCKADDR record missing for socketcall(accept)?
Steve Grubb
sgrubb at redhat.com
Thu Mar 23 15:36:07 UTC 2006
On Thursday 23 March 2006 09:08, John D. Ramsdell wrote:
> I noticed that a socketcall(bind) and socketcall(connect) event contain a
> record of type=SOCKADDR, but I cannot see one for a system call event
> associated with socketcall(accept). Recording the sockaddr of an accepted
> socket is important for cross platform information flow analys
Thanks for pointing this out. The following patch should address this.
Signed-off-by: Steve Grubb <sgrubb at redhat.com>
diff -urp linux-2.6.15.x86_64.orig/net/socket.c linux-2.6.15.x86_64/net/socket.c
--- linux-2.6.15.x86_64.orig/net/socket.c 2006-03-23 10:16:44.000000000 -0500
+++ linux-2.6.15.x86_64/net/socket.c 2006-03-23 10:27:20.000000000 -0500
@@ -263,6 +263,8 @@ int move_addr_to_user(void *kaddr, int k
return -EINVAL;
if(len)
{
+ if (audit_sockaddr(klen, kaddr))
+ return -ENOMEM;
if(copy_to_user(uaddr,kaddr,len))
return -EFAULT;
}
More information about the Linux-audit
mailing list