* Re: [PATCH] Fix a bug of "autrace -r /bin/ls" in i386
2010-11-05 10:36 [PATCH] Fix a bug of "autrace -r /bin/ls" in i386 Peng Haitao
@ 2010-12-17 8:40 ` Peng Haitao
2010-12-21 18:58 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Peng Haitao @ 2010-12-17 8:40 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Hello Steve,
When execute "autrace -r /bin/ls" in i386, The error message
"Error inserting audit rule for pid=349" will be outputed.
After apply the patch,
When the target system is a i386 processor, autrace will not
trace socket system calls.
Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
---
src/autrace.c | 15 ++++++++++-----
1 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/autrace.c b/src/autrace.c
index e1ff695..ed7ae22 100755
--- a/src/autrace.c
+++ b/src/autrace.c
@@ -84,11 +84,16 @@ static int insert_rule(int audit_fd, const char *field)
rc |= audit_rule_syscallbyname_data(rule, "readlink");
rc |= audit_rule_syscallbyname_data(rule, "readlinkat");
rc |= audit_rule_syscallbyname_data(rule, "execve");
- rc |= audit_rule_syscallbyname_data(rule, "connect");
- rc |= audit_rule_syscallbyname_data(rule, "bind");
- rc |= audit_rule_syscallbyname_data(rule, "accept");
- rc |= audit_rule_syscallbyname_data(rule, "sendto");
- rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
+
+ int machine = audit_detect_machine();
+ if (machine != MACH_X86) {
+ rc |= audit_rule_syscallbyname_data(rule, "connect");
+ rc |= audit_rule_syscallbyname_data(rule, "bind");
+ rc |= audit_rule_syscallbyname_data(rule, "accept");
+ rc |= audit_rule_syscallbyname_data(rule, "sendto");
+ rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
+ }
+
rc |= audit_rule_syscallbyname_data(rule, "sendfile");
} else
rc = audit_rule_syscallbyname_data(rule, "all");
--
1.7.0.1
Peng Haitao said the following on 2010-11-5 18:36:
> Hello Steve,
>
> When execute "autrace -r /bin/ls" in i386, The error message
> "Error inserting audit rule for pid=349" will be outputed.
>
> When execute "ausyscall i386 connect", The error message
> "Unknown syscall connect using i386 lookup table" will be outputed.
>
> After apply the patch,
> The output of "ausyscall i386 connect" is "socketcall 102".
> The output of "autrace -r /bin/ls" should be OK.
>
> Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
> ---
> lib/lookup_table.c | 36 ++++++++++++++++++++++++++++++++++++
> tools/ausyscall/ausyscall.c | 36 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 72 insertions(+), 0 deletions(-)
>
> diff --git a/lib/lookup_table.c b/lib/lookup_table.c
> index b0abe07..c6f892f 100755
> --- a/lib/lookup_table.c
> +++ b/lib/lookup_table.c
> @@ -29,6 +29,7 @@
> #include <stdlib.h>
> #include <ctype.h>
> #include <errno.h>
> +#include <linux/net.h>
>
> #include "libaudit.h"
> #include "gen_tables.h"
> @@ -96,6 +97,33 @@ const char *audit_field_to_name(int field)
> return field_i2s(field);
> }
>
> +/* This is the name/value pair used by search tables */
> +struct nv_pair {
> + int value;
> + const char *name;
> +};
> +
> +static struct nv_pair socktab[] = {
> + {SYS_SOCKET, "socket"},
> + {SYS_BIND, "bind"},
> + {SYS_CONNECT, "connect"},
> + {SYS_LISTEN, "listen"},
> + {SYS_ACCEPT, "accept"},
> + {SYS_GETSOCKNAME, "getsockname"},
> + {SYS_GETPEERNAME, "getpeername"},
> + {SYS_SOCKETPAIR, "socketpair"},
> + {SYS_SEND, "send"},
> + {SYS_RECV, "recv"},
> + {SYS_SENDTO, "sendto"},
> + {SYS_RECVFROM, "recvfrom"},
> + {SYS_SHUTDOWN, "shutdown"},
> + {SYS_SETSOCKOPT, "setsockopt"},
> + {SYS_GETSOCKOPT, "getsockopt"},
> + {SYS_SENDMSG, "sendmsg"},
> + {SYS_RECVMSG, "recvmsg"}
> +};
> +#define SOCK_NAMES (sizeof(socktab)/sizeof(socktab[0]))
> +
> int audit_name_to_syscall(const char *sc, int machine)
> {
> int res, found;
> @@ -104,6 +132,14 @@ int audit_name_to_syscall(const char *sc, int machine)
> {
> case MACH_X86:
> found = i386_syscall_s2i(sc, &res);
> + if (!found) {
> + int i;
> + for(i = 0; i < SOCK_NAMES; i++)
> + if (strcmp(socktab[i].name, sc) == 0) {
> + sc = "socketcall";
> + found = i386_syscall_s2i(sc, &res);
> + }
> + }
> break;
> case MACH_86_64:
> found = x86_64_syscall_s2i(sc, &res);
> diff --git a/tools/ausyscall/ausyscall.c b/tools/ausyscall/ausyscall.c
> index 565336f..772aa00 100755
> --- a/tools/ausyscall/ausyscall.c
> +++ b/tools/ausyscall/ausyscall.c
> @@ -25,10 +25,38 @@
> #include <string.h>
> #include <stdlib.h>
> #include <ctype.h>
> +#include <linux/net.h>
> #include "libaudit.h"
>
> #define LAST_SYSCALL 1400 // IA64 is in the 1300's right now
>
> +/* This is the name/value pair used by search tables */
> +struct nv_pair {
> + int value;
> + const char *name;
> +};
> +
> +static struct nv_pair socktab[] = {
> + {SYS_SOCKET, "socket"},
> + {SYS_BIND, "bind"},
> + {SYS_CONNECT, "connect"},
> + {SYS_LISTEN, "listen"},
> + {SYS_ACCEPT, "accept"},
> + {SYS_GETSOCKNAME, "getsockname"},
> + {SYS_GETPEERNAME, "getpeername"},
> + {SYS_SOCKETPAIR, "socketpair"},
> + {SYS_SEND, "send"},
> + {SYS_RECV, "recv"},
> + {SYS_SENDTO, "sendto"},
> + {SYS_RECVFROM, "recvfrom"},
> + {SYS_SHUTDOWN, "shutdown"},
> + {SYS_SETSOCKOPT, "setsockopt"},
> + {SYS_GETSOCKOPT, "getsockopt"},
> + {SYS_SENDMSG, "sendmsg"},
> + {SYS_RECVMSG, "recvmsg"}
> +};
> +#define SOCK_NAMES (sizeof(socktab)/sizeof(socktab[0]))
> +
> void usage(void)
> {
> fprintf(stderr, "usage: ausyscall [arch] name | number | --dump | --exact\n");
> @@ -119,6 +147,14 @@ int main(int argc, char *argv[])
> if (n && strcasestr(n, name)) {
> found = 1;
> printf("%-18s %d\n", n, i);
> + } else if (n && strcmp(n, "socketcall") == 0) {
> + int j = 0;
> + for (j = 0; j < SOCK_NAMES; j++)
> + if (strcmp(socktab[j].name, name) == 0) {
> + found = 1;
> + printf("%-18s %d\n", n, i);
> + break;
> + }
> }
> }
> if (!found) {
--
Best Regards,
Peng Haitao
--------------------------------------------------
Peng Haitao
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
No.6 Wenzhu Road, Nanjing, 210012, China
TEL: +86+25-86630566-8513
FUJITSU INTERNAL: 7998-8513
FAX: +86+25-83317685
EMail: penght@cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination, distribution or copying hereof is strictly prohibited. If you have received this communication in error, please notify me by reply e-mail, permanently delete this communication from your system, and destroy any hard copies you may have printed
^ permalink raw reply related [flat|nested] 3+ messages in thread