Re: Audit not recording the correct syscall return value in Fedora 10?

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
To: Paul Moore <paul.moore@hp.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit not recording the correct syscall return value in Fedora 10?
Date: Tue, 07 Apr 2009 23:44:09 -0300	[thread overview]
Message-ID: <1239158649.24938.46.camel@klausk.br.ibm.com> (raw)
In-Reply-To: <200904071134.35379.paul.moore@hp.com>

On Tue, 2009-04-07 at 11:34 -0400, Paul Moore wrote:
> Does anyone have any thoughts?

I remember debugging an issue with the incorrect return value being
audited for a syscall. It was s390[x] specific and only occurred with
successful execve() syscalls. This behavior was pointed out with the
open-source common-criteria testsuite that checked each
security-relevant syscalls for parameters, return values, args etc..

I didn't give much important to those since execve() return value is
really not that important if the call succeeds ;-)

But now I'm curious to what other problems related to syscalls return
values you've found, and how those weren't caught by the same set of
tests (hmm, maybe they are x86-specific?)

Can you give us some examples?

Thanks,

 -Klaus
-- 
Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center

next prev parent reply	other threads:[~2009-04-08  2:44 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-07 15:34 Audit not recording the correct syscall return value in Fedora 10? Paul Moore
2009-04-08  2:44 ` Klaus Heinrich Kiwi [this message]
2009-04-08 21:38   ` Paul Moore
2009-05-05 18:15   ` Tony Jones
2009-05-05 18:08 ` Tony Jones
2009-05-05 18:22   ` Paul Moore
2009-05-05 19:07     ` Tony Jones
2009-05-05 19:20       ` Paul Moore
2009-05-05 19:34         ` Tony Jones
2009-05-05 19:50           ` Paul Moore
2009-05-07 23:05             ` Tony Jones
2009-05-08 13:22               ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1239158649.24938.46.camel@klausk.br.ibm.com \
    --to=klausk@linux.vnet.ibm.com \
    --cc=linux-audit@redhat.com \
    --cc=paul.moore@hp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox