From mboxrd@z Thu Jan 1 00:00:00 1970 From: Linda Knippers Subject: watches using -p omit some syscalls Date: Mon, 14 May 2007 10:45:46 -0400 Message-ID: <4648761A.8050402@hp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l4EFpaCk014781 for ; Mon, 14 May 2007 11:51:36 -0400 Received: from atlrel8.hp.com (atlrel8.hp.com [156.153.255.206]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l4EFpRWC004034 for ; Mon, 14 May 2007 11:51:28 -0400 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit Discussion List-Id: linux-audit@redhat.com I was doing some testing on the lspp .80 kernel and discovered that when issuing a simple watch on ia64, I didn't get audit records as I expected. For example, auditctl -w /foo, which defaults to -p rwxa, followed by a chmod or a chcon on the file generated no audit records. I filed this bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239887 The problem exists but is less severe on other architectures. Klaus posted a patch in the bugzilla (see below) and also recommended that unknown syscalls not be silently ignored. I have tested Klaus' patch and it solves the problem I saw on ia64. I'm sure Klaus would be happy to post a signed off patch. -- ljk --- linux-2.6.18.i686/kernel/auditfilter.c.lspp.80 2007-05-11 17:06:08.000000000 -0500 +++ linux-2.6.18.i686/kernel/auditfilter.c 2007-05-11 17:09:37.000000000 -0500 @@ -306,7 +306,7 @@ int audit_match_class(int class, unsigned syscall) { - if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) + if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) return 0; if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) return 0;