[PATCH] audit: fix broken class-based syscall audit
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu May 17 13:19:10 UTC 2007
On Wed, 16 May 2007 17:45:42 CDT, Klaus Weidner said:
> Bug description: When I add an audit watch on a file with no arguments, I
> get perm=rwxa but on ia64, changes to the mode and context aren't
> audited. I get audit records on i386 and x86_64.
> (from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239887 )
>
> The sanity check in audit_match_class() is wrong, AUDIT_BITMASK_SIZE is
> 64, providing space for 2048 syscalls in 64 * 32bit integers. The
> comparison only supports 256 syscalls (sizeof __u32 is 4), and silently
> returns "no match" for valid higher-numbered syscalls.
>
> This breaks class-based audit for all syscalls on ia64 since on that
> architecture syscall numbers start at 1024. It breaks some syscall audit
> on other architectures also, for example __NR_fchmodat is 306 on x86.
>
> I'd suggest adding a printk() in addition to returning 0 - you don't want
> to silently ignore unknown or unsupported syscalls when auditing.
Make it rate-limited, so a program can't unintentionally spam your logs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070517/7e37c8d1/attachment.sig>
More information about the Linux-audit
mailing list