From: Peng Haitao <penght@cn.fujitsu.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] Fix a bug of "autrace -r /bin/ls" in i386
Date: Fri, 17 Dec 2010 16:40:58 +0800 [thread overview]
Message-ID: <4D0B221A.2040703@cn.fujitsu.com> (raw)
In-Reply-To: <4CD3DE39.4000704@cn.fujitsu.com>
Hello Steve,
When execute "autrace -r /bin/ls" in i386, The error message
"Error inserting audit rule for pid=349" will be outputed.
After apply the patch,
When the target system is a i386 processor, autrace will not
trace socket system calls.
Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
---
src/autrace.c | 15 ++++++++++-----
1 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/autrace.c b/src/autrace.c
index e1ff695..ed7ae22 100755
--- a/src/autrace.c
+++ b/src/autrace.c
@@ -84,11 +84,16 @@ static int insert_rule(int audit_fd, const char *field)
rc |= audit_rule_syscallbyname_data(rule, "readlink");
rc |= audit_rule_syscallbyname_data(rule, "readlinkat");
rc |= audit_rule_syscallbyname_data(rule, "execve");
- rc |= audit_rule_syscallbyname_data(rule, "connect");
- rc |= audit_rule_syscallbyname_data(rule, "bind");
- rc |= audit_rule_syscallbyname_data(rule, "accept");
- rc |= audit_rule_syscallbyname_data(rule, "sendto");
- rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
+
+ int machine = audit_detect_machine();
+ if (machine != MACH_X86) {
+ rc |= audit_rule_syscallbyname_data(rule, "connect");
+ rc |= audit_rule_syscallbyname_data(rule, "bind");
+ rc |= audit_rule_syscallbyname_data(rule, "accept");
+ rc |= audit_rule_syscallbyname_data(rule, "sendto");
+ rc |= audit_rule_syscallbyname_data(rule, "recvfrom");
+ }
+
rc |= audit_rule_syscallbyname_data(rule, "sendfile");
} else
rc = audit_rule_syscallbyname_data(rule, "all");
--
1.7.0.1
Peng Haitao said the following on 2010-11-5 18:36:
> Hello Steve,
>
> When execute "autrace -r /bin/ls" in i386, The error message
> "Error inserting audit rule for pid=349" will be outputed.
>
> When execute "ausyscall i386 connect", The error message
> "Unknown syscall connect using i386 lookup table" will be outputed.
>
> After apply the patch,
> The output of "ausyscall i386 connect" is "socketcall 102".
> The output of "autrace -r /bin/ls" should be OK.
>
> Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>
> ---
> lib/lookup_table.c | 36 ++++++++++++++++++++++++++++++++++++
> tools/ausyscall/ausyscall.c | 36 ++++++++++++++++++++++++++++++++++++
> 2 files changed, 72 insertions(+), 0 deletions(-)
>
> diff --git a/lib/lookup_table.c b/lib/lookup_table.c
> index b0abe07..c6f892f 100755
> --- a/lib/lookup_table.c
> +++ b/lib/lookup_table.c
> @@ -29,6 +29,7 @@
> #include <stdlib.h>
> #include <ctype.h>
> #include <errno.h>
> +#include <linux/net.h>
>
> #include "libaudit.h"
> #include "gen_tables.h"
> @@ -96,6 +97,33 @@ const char *audit_field_to_name(int field)
> return field_i2s(field);
> }
>
> +/* This is the name/value pair used by search tables */
> +struct nv_pair {
> + int value;
> + const char *name;
> +};
> +
> +static struct nv_pair socktab[] = {
> + {SYS_SOCKET, "socket"},
> + {SYS_BIND, "bind"},
> + {SYS_CONNECT, "connect"},
> + {SYS_LISTEN, "listen"},
> + {SYS_ACCEPT, "accept"},
> + {SYS_GETSOCKNAME, "getsockname"},
> + {SYS_GETPEERNAME, "getpeername"},
> + {SYS_SOCKETPAIR, "socketpair"},
> + {SYS_SEND, "send"},
> + {SYS_RECV, "recv"},
> + {SYS_SENDTO, "sendto"},
> + {SYS_RECVFROM, "recvfrom"},
> + {SYS_SHUTDOWN, "shutdown"},
> + {SYS_SETSOCKOPT, "setsockopt"},
> + {SYS_GETSOCKOPT, "getsockopt"},
> + {SYS_SENDMSG, "sendmsg"},
> + {SYS_RECVMSG, "recvmsg"}
> +};
> +#define SOCK_NAMES (sizeof(socktab)/sizeof(socktab[0]))
> +
> int audit_name_to_syscall(const char *sc, int machine)
> {
> int res, found;
> @@ -104,6 +132,14 @@ int audit_name_to_syscall(const char *sc, int machine)
> {
> case MACH_X86:
> found = i386_syscall_s2i(sc, &res);
> + if (!found) {
> + int i;
> + for(i = 0; i < SOCK_NAMES; i++)
> + if (strcmp(socktab[i].name, sc) == 0) {
> + sc = "socketcall";
> + found = i386_syscall_s2i(sc, &res);
> + }
> + }
> break;
> case MACH_86_64:
> found = x86_64_syscall_s2i(sc, &res);
> diff --git a/tools/ausyscall/ausyscall.c b/tools/ausyscall/ausyscall.c
> index 565336f..772aa00 100755
> --- a/tools/ausyscall/ausyscall.c
> +++ b/tools/ausyscall/ausyscall.c
> @@ -25,10 +25,38 @@
> #include <string.h>
> #include <stdlib.h>
> #include <ctype.h>
> +#include <linux/net.h>
> #include "libaudit.h"
>
> #define LAST_SYSCALL 1400 // IA64 is in the 1300's right now
>
> +/* This is the name/value pair used by search tables */
> +struct nv_pair {
> + int value;
> + const char *name;
> +};
> +
> +static struct nv_pair socktab[] = {
> + {SYS_SOCKET, "socket"},
> + {SYS_BIND, "bind"},
> + {SYS_CONNECT, "connect"},
> + {SYS_LISTEN, "listen"},
> + {SYS_ACCEPT, "accept"},
> + {SYS_GETSOCKNAME, "getsockname"},
> + {SYS_GETPEERNAME, "getpeername"},
> + {SYS_SOCKETPAIR, "socketpair"},
> + {SYS_SEND, "send"},
> + {SYS_RECV, "recv"},
> + {SYS_SENDTO, "sendto"},
> + {SYS_RECVFROM, "recvfrom"},
> + {SYS_SHUTDOWN, "shutdown"},
> + {SYS_SETSOCKOPT, "setsockopt"},
> + {SYS_GETSOCKOPT, "getsockopt"},
> + {SYS_SENDMSG, "sendmsg"},
> + {SYS_RECVMSG, "recvmsg"}
> +};
> +#define SOCK_NAMES (sizeof(socktab)/sizeof(socktab[0]))
> +
> void usage(void)
> {
> fprintf(stderr, "usage: ausyscall [arch] name | number | --dump | --exact\n");
> @@ -119,6 +147,14 @@ int main(int argc, char *argv[])
> if (n && strcasestr(n, name)) {
> found = 1;
> printf("%-18s %d\n", n, i);
> + } else if (n && strcmp(n, "socketcall") == 0) {
> + int j = 0;
> + for (j = 0; j < SOCK_NAMES; j++)
> + if (strcmp(socktab[j].name, name) == 0) {
> + found = 1;
> + printf("%-18s %d\n", n, i);
> + break;
> + }
> }
> }
> if (!found) {
--
Best Regards,
Peng Haitao
--------------------------------------------------
Peng Haitao
Development Dept.I
Nanjing Fujitsu Nanda Software Tech. Co., Ltd.(FNST)
No.6 Wenzhu Road, Nanjing, 210012, China
TEL: +86+25-86630566-8513
FUJITSU INTERNAL: 7998-8513
FAX: +86+25-83317685
EMail: penght@cn.fujitsu.com
--------------------------------------------------
This communication is for use by the intended recipient(s) only and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not an intended recipient of this communication, you are hereby notified that any dissemination, distribution or copying hereof is strictly prohibited. If you have received this communication in error, please notify me by reply e-mail, permanently delete this communication from your system, and destroy any hard copies you may have printed
next prev parent reply other threads:[~2010-12-17 8:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-05 10:36 [PATCH] Fix a bug of "autrace -r /bin/ls" in i386 Peng Haitao
2010-12-17 8:40 ` Peng Haitao [this message]
2010-12-21 18:58 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D0B221A.2040703@cn.fujitsu.com \
--to=penght@cn.fujitsu.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox