From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nathan Brown Subject: Possible bug while setting syscall="all" Date: Tue, 27 Sep 2016 18:35:28 -0700 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3351918219700080914==" Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u8S1ZU23024878 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 27 Sep 2016 21:35:30 -0400 Received: from mail-it0-f43.google.com (mail-it0-f43.google.com [209.85.214.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C3F017EAB0 for ; Wed, 28 Sep 2016 01:35:29 +0000 (UTC) Received: by mail-it0-f43.google.com with SMTP id n143so31420956ita.1 for ; Tue, 27 Sep 2016 18:35:29 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============3351918219700080914== Content-Type: multipart/alternative; boundary=94eb2c111e544b68db053d8760e2 --94eb2c111e544b68db053d8760e2 Content-Type: text/plain; charset=UTF-8 I am trying to fully understand the ruledata struct. I've got most of it figured out but I can't find a reason for the final 32 bits (last index) of mask to not be flipped on when selecting all syscalls. In general it appears that the final 32 bits are never used. https://github.com/linux-audit/audit-userspace/blob/f588248775b4f8180b846bbc1681bc54e07871ed/lib/libaudit.c#L907 --94eb2c111e544b68db053d8760e2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I am trying to fully understand the ruledata struct. I'= ;ve got most of it figured out but I can't find a reason for the final = 32 bits (last index) of mask to not be flipped on when selecting all syscal= ls. In general it appears that the final 32 bits are never used. --94eb2c111e544b68db053d8760e2-- --===============3351918219700080914== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3351918219700080914==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Possible bug while setting syscall="all" Date: Wed, 28 Sep 2016 09:05:57 -0400 Message-ID: <1594171.it3xZzOZ7n@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, September 27, 2016 6:35:28 PM EDT Nathan Brown wrote: > I am trying to fully understand the ruledata struct. I've got most of it > figured out but I can't find a reason for the final 32 bits (last index) of > mask to not be flipped on when selecting all syscalls. In general it > appears that the final 32 bits are never used. > > https://github.com/linux-audit/audit-userspace/blob/f588248775b4f8180b846bbc > 1681bc54e07871ed/lib/libaudit.c#L907 Yes, this is a bug. Since there are nowhere near 2016 syscalls on any arch, it hadn't really posed a problem. Fixed in svn commit 1397. Thanks for reporting this. -Steve