From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marcus Meissner <meissner@suse.de>
Subject: Re: [PATCH] fix broken class-based syscall audit
Date: Mon, 14 May 2007 17:51:50 +0200
Message-ID: <20070514155148.GB23829@suse.de>
References: <20070514154636.GA11536@w-m-p.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l4EFpwrV022106
	for <linux-audit@redhat.com>; Mon, 14 May 2007 11:51:58 -0400
Received: from mx2.suse.de (cantor2.suse.de [195.135.220.15])
	by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l4EFpugt019037
	for <linux-audit@redhat.com>; Mon, 14 May 2007 11:51:57 -0400
Content-Disposition: inline
In-Reply-To: <20070514154636.GA11536@w-m-p.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Klaus Weidner <klaus@atsec.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Mon, May 14, 2007 at 10:46:36AM -0500, Klaus Weidner wrote:
> Bug description: When I add an audit watch on a file with no arguments, I
> get perm=rwxa but on ia64, changes to the mode and context aren't
> audited.  I get audit records on i386 and x86_64.
> 
> See also: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239887
> 
> The sanity check in audit_match_class() is wrong, AUDIT_BITMASK_SIZE is
> 64, providing space for 2048 syscalls in 64 * 32bit integers. The
> comparison only supports 256 syscalls (sizeof __u32 is 4), and silently
> returns "no match" for valid higher-numbered syscalls.
> 
> This breaks class-based audit for all syscalls on ia64 since on that
> architecture syscall numbers start at 1024. It breaks some syscall audit
> on other architectures also, for example __NR_fchmodat is 306 on x86.
> 
> I'd suggest adding a printk() in addition to returning 0 - you don't want
> to silently ignore unknown or unsupported syscalls when auditing.
> 
> Signed-off-by: Klaus Weidner <klaus@atsec.com>
> 
> --- linux-2.6.18.i686/kernel/auditfilter.c.lspp.80	2007-05-11 17:06:08.000000000 -0500
> +++ linux-2.6.18.i686/kernel/auditfilter.c	2007-05-11 17:09:37.000000000 -0500
> @@ -306,7 +306,7 @@
>  
>  int audit_match_class(int class, unsigned syscall)
>  {
> -	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32)))
> +	if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32))
>  		return 0;
>  	if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class]))
>  		return 0;

You likely need to fix audit_register_class() if this is true.

Ciao, Marcus