From: Paul Moore <paul.moore@hp.com>
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit not recording the correct syscall return value in Fedora 10?
Date: Wed, 8 Apr 2009 17:38:42 -0400 [thread overview]
Message-ID: <200904081738.42401.paul.moore@hp.com> (raw)
In-Reply-To: <1239158649.24938.46.camel@klausk.br.ibm.com>
On Tuesday 07 April 2009 10:44:09 pm Klaus Heinrich Kiwi wrote:
> On Tue, 2009-04-07 at 11:34 -0400, Paul Moore wrote:
> > Does anyone have any thoughts?
>
> I remember debugging an issue with the incorrect return value being
> audited for a syscall. It was s390[x] specific and only occurred with
> successful execve() syscalls. This behavior was pointed out with the
> open-source common-criteria testsuite that checked each
> security-relevant syscalls for parameters, return values, args etc..
>
> I didn't give much important to those since execve() return value is
> really not that important if the call succeeds ;-)
>
> But now I'm curious to what other problems related to syscalls return
> values you've found, and how those weren't caught by the same set of
> tests (hmm, maybe they are x86-specific?)
Well, I'm not certain about the exact root cause (I was hoping others with
more audit experience would be able to take a look) but I do know that my
fix/workaround was arch specific. My hunch is that the problem does lie in
the arch specific code but it may be that the same problem exists on multiple
architectures.
> Can you give us some examples?
Of the tests? Sure, I used the audit-test suite which can be found on
SourceForge, the tests that trigger the error on my test system are the
sendto() and sendmsg() syscall tests which are run as part of the network
tests.
http://sourceforge.net/project/showfiles.php?group_id=167060
http://audit-test.svn.sforge.net/viewvc/audit-
test/trunk/tests/audit/utils/bin/do_sendto.c?revision=2019&view=markup
http://audit-test.svn.sourceforge.net/viewvc/audit-
test/trunk/tests/audit/utils/bin/do_sendmsg.c?view=markup
--
paul moore
linux @ hp
next prev parent reply other threads:[~2009-04-08 21:39 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-07 15:34 Audit not recording the correct syscall return value in Fedora 10? Paul Moore
2009-04-08 2:44 ` Klaus Heinrich Kiwi
2009-04-08 21:38 ` Paul Moore [this message]
2009-05-05 18:15 ` Tony Jones
2009-05-05 18:08 ` Tony Jones
2009-05-05 18:22 ` Paul Moore
2009-05-05 19:07 ` Tony Jones
2009-05-05 19:20 ` Paul Moore
2009-05-05 19:34 ` Tony Jones
2009-05-05 19:50 ` Paul Moore
2009-05-07 23:05 ` Tony Jones
2009-05-08 13:22 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200904081738.42401.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=klausk@linux.vnet.ibm.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox