From: Tony Jones <tonyj@suse.de>
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit not recording the correct syscall return value in Fedora 10?
Date: Tue, 5 May 2009 11:15:34 -0700 [thread overview]
Message-ID: <20090505181534.GB8722@suse.de> (raw)
In-Reply-To: <1239158649.24938.46.camel@klausk.br.ibm.com>
On Tue, Apr 07, 2009 at 11:44:09PM -0300, Klaus Heinrich Kiwi wrote:
> On Tue, 2009-04-07 at 11:34 -0400, Paul Moore wrote:
> > Does anyone have any thoughts?
>
> I remember debugging an issue with the incorrect return value being
> audited for a syscall. It was s390[x] specific and only occurred with
> successful execve() syscalls. This behavior was pointed out with the
> open-source common-criteria testsuite that checked each
> security-relevant syscalls for parameters, return values, args etc..
>
> I didn't give much important to those since execve() return value is
> really not that important if the call succeeds ;-)
>
> But now I'm curious to what other problems related to syscalls return
> values you've found, and how those weren't caught by the same set of
> tests (hmm, maybe they are x86-specific?)
>
> Can you give us some examples?
Klaus. I need to kick this bug upstream. I'll do so today. I thought I'd
tracked it down to some specific execve code in the entry sequence, that was a
while ago, I got back to looking at it and I can't find that code anymore :-(
but it still fails.
For S390[x] you'll get audit events of the form:
type=SYSCALL msg=audit(1179421699.058:39809): arch=80000016 syscall=11
success=yes exit=11 a0=3ffff91ce50 a1=3ffff91e240 a2=3ffff91e250 a3=20000162a58
items=2 ppid=13131 pid=13132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=pts1 comm="true" exe="/bin/true" subj=unconstrained
key=(null)
strace shows that the syscall succeeded.
My S390 assembler knowledge is non-existant but appears that the syscall value
is somehow in gprs[2] rather than the return value when the codepath enters
s390/kernel/ptrace.c::do_syscall_trace_exit. Only for the execve syscall.
Tony
next prev parent reply other threads:[~2009-05-05 18:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-07 15:34 Audit not recording the correct syscall return value in Fedora 10? Paul Moore
2009-04-08 2:44 ` Klaus Heinrich Kiwi
2009-04-08 21:38 ` Paul Moore
2009-05-05 18:15 ` Tony Jones [this message]
2009-05-05 18:08 ` Tony Jones
2009-05-05 18:22 ` Paul Moore
2009-05-05 19:07 ` Tony Jones
2009-05-05 19:20 ` Paul Moore
2009-05-05 19:34 ` Tony Jones
2009-05-05 19:50 ` Paul Moore
2009-05-07 23:05 ` Tony Jones
2009-05-08 13:22 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090505181534.GB8722@suse.de \
--to=tonyj@suse.de \
--cc=klausk@linux.vnet.ibm.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox