From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] In some platforms, "connect", "bind", "accept", "sendto",
	"recvfrom", "sendfile" arenot audit directly.
Date: Wed, 30 Jul 2008 07:58:45 -0400
Message-ID: <200807300758.46328.sgrubb@redhat.com>
References: <48902683.6070902@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <48902683.6070902@cn.fujitsu.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: zhangxiliang <zhangxiliang@cn.fujitsu.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Wednesday 30 July 2008 04:29:55 zhangxiliang wrote:
> =C2=A0When I use "autrace -r" or "auditctl -a exit,always -S connect" o=
n "ia32"
> machine, it report some error. I found in some platforms, "connect",
> "bind", "accept", "sendto", "recvfrom", "sendfile" is not supported to =
call
> directly. They are used by syscall "socketcall".
>
> =C2=A0I think when the socket calls are supported, we should insert "so=
cketcall"
> instead of them. Do you agree with me?

Yes, I do. I have that listed in the TODO file at line 45. Getting this=20
working would be a big help. However, there is one piece missing. Its not=
=20
sufficient to just switch over to socketcall, you also have to tell it vi=
a=20
the a0 field which socketcall represents the correct one. There are about=
 15=20
syscalls that are multiplexed through socketcall with each one being a=20
different a0 parameter.

For example, maybe we want to audit the connect syscall. If we look=20
at /usr/include/linux/net.h, you find=20

#define SYS_CONNECT     3               /* sys_connect(2)               *=
/

Therefore the audit rule would be:

auditctl -a always,exit -S socketcall -F a0=3D3

So, we would need the patch to set the a0 field. That lookup table probab=
ly=20
belongs in lib/lookup_table.c. There is a number to text converter in=20
src/ausearch-lookup.c which might need to be moved. on the other hand, it=
=20
might be simpler to just call the socketcall_lookup in src/ausearch-looku=
p.c=20
and iterate through it by number until the text matches. That is not terr=
ibly=20
efficient, but auditctl is not used very often and is not required to be=20
fast. Either way is fine with me.

Also, we have the same problem that you identified with ipccall. Its defi=
ned=20
numbers are in /usr/include/linux/ipc.h.

Thanks,
-Steve