* confusing with open system call in Linux kernel
@ 2015-02-04 2:59 Alan TaN
2015-02-04 16:46 ` Paul Moore
0 siblings, 1 reply; 2+ messages in thread
From: Alan TaN @ 2015-02-04 2:59 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2883 bytes --]
Hi everyone,
I am new here, so I am not exactly sure if this is the right place to ask
this. I apologise in advance if this is not the right place.
I would like to ask if anyone has encountered the issue below.
I am trying to track a set of file accesses system calls in a Linux system
(for experimental purposes) and used the following subset of rules with the
audit.rules file.
-a exit,always -F arch=b64 -S creat -S read -S write -S rename -S open -S
close
What I noticed was that for the open system call, when opening an existing
file for writing purpose, the file name would result in a 'null' value like
shown:
type=SYSCALL msg=audit(1423018198.026:20826531): arch=c000003e syscall=2
success=yes exit=4 a0=400865 a1=241 a2=1b6 a3=0 items=2 ppid=9093 pid=9169
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=3805 comm="readfile" exe="/root/prov_project/script/readfile"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1423018198.026:20826531):
cwd="/root/prov_project/script"
type=PATH msg=audit(1423018198.026:20826531): item=0
name="/root/prov_project/script" inode=311564 dev=fd:01 mode=040755 ouid=0
ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT
type=PATH msg=audit(1423018198.026:20826531): item=1 name=(null)
inode=269089 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL
However, opening the same file with read only mode or opening a non-existing
file (which in that case the open system call would create the file) would
result in the file name being captured as shown:
type=SYSCALL msg=audit(1423018196.556:20826486): arch=c000003e syscall=2
success=yes exit=4 a0=400865 a1=241 a2=1b6 a3=0 items=2 ppid=9093 pid=9168
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
ses=3805 comm="readfile" exe="/root/prov_project/script/readfile"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1423018196.556:20826486):
cwd="/root/prov_project/script"
type=PATH msg=audit(1423018196.556:20826486): item=0
name="/root/prov_project/script" inode=311564 dev=fd:01 mode=040755 ouid=0
ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT
type=PATH msg=audit(1423018196.556:20826486): item=1 name="sample_text.txt"
inode=269089 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE
Hence the question: Is this an intended feature or a bug?
Appreciate if anyone can shed some light on this.
To reproduce: write to a non-existing file first, close it and then open
and write to the same file again.
I am running version 2.3.7-5 of the audit framework and on CentOS 6.4
(kernel version 2.6.32-431)
Thank you.
Cheers,
Alan
[-- Attachment #1.2: Type: text/html, Size: 6034 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: confusing with open system call in Linux kernel
2015-02-04 2:59 confusing with open system call in Linux kernel Alan TaN
@ 2015-02-04 16:46 ` Paul Moore
0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2015-02-04 16:46 UTC (permalink / raw)
To: Alan TaN; +Cc: linux-audit
This is a known bug, at least upstream and in CentOS 7.x kernels. We
have a fix in place which should be merged into Linus tree during the
next merge window (which likely starts next week).
On Tue, Feb 3, 2015 at 9:59 PM, Alan TaN <maillist.alan@gmail.com> wrote:
> Hi everyone,
>
>
>
> I am new here, so I am not exactly sure if this is the right place to ask
> this. I apologise in advance if this is not the right place.
>
> I would like to ask if anyone has encountered the issue below.
>
>
>
> I am trying to track a set of file accesses system calls in a Linux system
> (for experimental purposes) and used the following subset of rules with the
> audit.rules file.
>
>
>
> -a exit,always -F arch=b64 -S creat -S read -S write -S rename -S open -S
> close
>
>
>
> What I noticed was that for the open system call, when opening an existing
> file for writing purpose, the file name would result in a ‘null’ value like
> shown:
>
>
>
> type=SYSCALL msg=audit(1423018198.026:20826531): arch=c000003e syscall=2
> success=yes exit=4 a0=400865 a1=241 a2=1b6 a3=0 items=2 ppid=9093 pid=9169
> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
> ses=3805 comm="readfile" exe="/root/prov_project/script/readfile"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
> type=CWD msg=audit(1423018198.026:20826531):
> cwd="/root/prov_project/script"
>
> type=PATH msg=audit(1423018198.026:20826531): item=0
> name="/root/prov_project/script" inode=311564 dev=fd:01 mode=040755 ouid=0
> ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT
>
> type=PATH msg=audit(1423018198.026:20826531): item=1 name=(null)
> inode=269089 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL
>
>
>
>
>
> However, opening the same file with read only mode or opening a non-existing
> file (which in that case the open system call would create the file) would
> result in the file name being captured as shown:
>
>
>
> type=SYSCALL msg=audit(1423018196.556:20826486): arch=c000003e syscall=2
> success=yes exit=4 a0=400865 a1=241 a2=1b6 a3=0 items=2 ppid=9093 pid=9168
> auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
> ses=3805 comm="readfile" exe="/root/prov_project/script/readfile"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
> type=CWD msg=audit(1423018196.556:20826486):
> cwd="/root/prov_project/script"
>
> type=PATH msg=audit(1423018196.556:20826486): item=0
> name="/root/prov_project/script" inode=311564 dev=fd:01 mode=040755 ouid=0
> ogid=0 rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=PARENT
>
> type=PATH msg=audit(1423018196.556:20826486): item=1 name="sample_text.txt"
> inode=269089 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
> obj=unconfined_u:object_r:admin_home_t:s0 nametype=CREATE
>
>
>
> Hence the question: Is this an intended feature or a bug?
>
>
>
> Appreciate if anyone can shed some light on this.
>
>
>
> To reproduce: write to a non-existing file first, close it and then open
> and write to the same file again.
>
>
>
> I am running version 2.3.7-5 of the audit framework and on CentOS 6.4
> (kernel version 2.6.32-431)
>
>
>
> Thank you.
>
>
>
> Cheers,
>
> Alan
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-02-04 16:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-04 2:59 confusing with open system call in Linux kernel Alan TaN
2015-02-04 16:46 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox