Re: [PATCH] In some platforms, "connect", "bind", "accept", "sendto", "recvfrom", "sendfile" arenot audit directly.

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday 30 July 2008 04:29:55 zhangxiliang wrote:
>  When I use "autrace -r" or "auditctl -a exit,always -S connect" on "ia32"
> machine, it report some error. I found in some platforms, "connect",
> "bind", "accept", "sendto", "recvfrom", "sendfile" is not supported to call
> directly. They are used by syscall "socketcall".
>
>  I think when the socket calls are supported, we should insert "socketcall"
> instead of them. Do you agree with me?

Yes, I do. I have that listed in the TODO file at line 45. Getting this 
working would be a big help. However, there is one piece missing. Its not 
sufficient to just switch over to socketcall, you also have to tell it via 
the a0 field which socketcall represents the correct one. There are about 15 
syscalls that are multiplexed through socketcall with each one being a 
different a0 parameter.

For example, maybe we want to audit the connect syscall. If we look 
at /usr/include/linux/net.h, you find 

#define SYS_CONNECT     3               /* sys_connect(2)               */

Therefore the audit rule would be:

auditctl -a always,exit -S socketcall -F a0=3

So, we would need the patch to set the a0 field. That lookup table probably 
belongs in lib/lookup_table.c. There is a number to text converter in 
src/ausearch-lookup.c which might need to be moved. on the other hand, it 
might be simpler to just call the socketcall_lookup in src/ausearch-lookup.c 
and iterate through it by number until the text matches. That is not terribly 
efficient, but auditctl is not used very often and is not required to be 
fast. Either way is fine with me.

Also, we have the same problem that you identified with ipccall. Its defined 
numbers are in /usr/include/linux/ipc.h.

Thanks,
-Steve