* Re: [GIT PULL] Audit patches for v5.18
From: pr-tracker-bot @ 2022-03-22 3:56 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit, Linus Torvalds, linux-kernel
In-Reply-To: <CAHC9VhTdj=86GwGpv5bgwVrQp0v1o-a=YKKDw-vC_Er8uKBizA@mail.gmail.com>
The pull request you sent on Mon, 21 Mar 2022 18:21:08 -0400:
> https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20220321
has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/b47d5a4f6b8d42f8a8fbe891b36215e4fddc53be
Thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/prtracker.html
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: kernel test robot @ 2022-03-26 20:55 UTC (permalink / raw)
To: cgel.zte, paul, eparis, linux-audit
Cc: Yang Yang, Zeal Robot, kbuild-all, linux-kernel
In-Reply-To: <20220326094654.2361956-1-yang.yang29@zte.com.cn>
Hi,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on pcmoore-audit/next]
[also build test ERROR on v5.17 next-20220325]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/intel-lab-lkp/linux/commits/cgel-zte-gmail-com/audit-do-a-quick-exit-when-syscall-number-is-invalid/20220326-174904
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20220327/202203270449.WBYQF9X3-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/052b1a11a0bec23358ecc22ad9b085590efd3057
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review cgel-zte-gmail-com/audit-do-a-quick-exit-when-syscall-number-is-invalid/20220326-174904
git checkout 052b1a11a0bec23358ecc22ad9b085590efd3057
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=alpha SHELL=/bin/bash
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from include/linux/init.h:5,
from kernel/auditsc.c:34:
kernel/auditsc.c: In function '__audit_syscall_exit':
>> kernel/auditsc.c:2081:61: error: 'NR_syscalls' undeclared (first use in this function); did you mean 'si_syscall'?
2081 | unlikely(context->major < 0 || context->major > NR_syscalls))
| ^~~~~~~~~~~
include/linux/compiler.h:78:45: note: in definition of macro 'unlikely'
78 | # define unlikely(x) __builtin_expect(!!(x), 0)
| ^
kernel/auditsc.c:2081:61: note: each undeclared identifier is reported only once for each function it appears in
2081 | unlikely(context->major < 0 || context->major > NR_syscalls))
| ^~~~~~~~~~~
include/linux/compiler.h:78:45: note: in definition of macro 'unlikely'
78 | # define unlikely(x) __builtin_expect(!!(x), 0)
| ^
vim +2081 kernel/auditsc.c
2063
2064 /**
2065 * __audit_syscall_exit - deallocate audit context after a system call
2066 * @success: success value of the syscall
2067 * @return_code: return value of the syscall
2068 *
2069 * Tear down after system call. If the audit context has been marked as
2070 * auditable (either because of the AUDIT_STATE_RECORD state from
2071 * filtering, or because some other part of the kernel wrote an audit
2072 * message), then write out the syscall information. In call cases,
2073 * free the names stored from getname().
2074 */
2075 void __audit_syscall_exit(int success, long return_code)
2076 {
2077 struct audit_context *context = audit_context();
2078
2079 if (!context || context->dummy ||
2080 context->context != AUDIT_CTX_SYSCALL ||
> 2081 unlikely(context->major < 0 || context->major > NR_syscalls))
2082 goto out;
2083
2084 /* this may generate CONFIG_CHANGE records */
2085 if (!list_empty(&context->killed_trees))
2086 audit_kill_trees(context);
2087
2088 /* run through both filters to ensure we set the filterkey properly */
2089 audit_filter_syscall(current, context);
2090 audit_filter_inodes(current, context);
2091 if (context->current_state < AUDIT_STATE_RECORD)
2092 goto out;
2093
2094 audit_return_fixup(context, success, return_code);
2095 audit_log_exit();
2096
2097 out:
2098 audit_reset_context(context);
2099 }
2100
--
0-DAY CI Kernel Test Service
https://01.org/lkp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* [PATCH] audit: do a quick exit when syscall number is invalid
From: cgel.zte @ 2022-03-26 9:46 UTC (permalink / raw)
To: paul, eparis, linux-audit; +Cc: Yang Yang, Zeal Robot, linux-kernel
From: Yang Yang <yang.yang29@zte.com.cn>
Userspace may use syscall with invalid syscall number by calling
syscall(syscall_num,..). For example we found openSSH may use
syscall with syscall number is -1 in some case. When that happens
we better do a quick handle no need to gohead.
Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
Reported-by: Zeal Robot <zealci@zte.com.cn>
---
kernel/auditsc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ea2ee1181921..806cd57d7f20 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2077,7 +2077,8 @@ void __audit_syscall_exit(int success, long return_code)
struct audit_context *context = audit_context();
if (!context || context->dummy ||
- context->context != AUDIT_CTX_SYSCALL)
+ context->context != AUDIT_CTX_SYSCALL ||
+ unlikely(context->major < 0 || context->major > NR_syscalls))
goto out;
/* this may generate CONFIG_CHANGE records */
--
2.25.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related
* [PATCH v2] audit: do a quick exit when syscall number is invalid
From: cgel.zte @ 2022-03-28 5:46 UTC (permalink / raw)
To: rth, ink, mattst88, paul, eparis, linux-audit
Cc: Yang Yang, Zeal Robot, linux-kernel
From: Yang Yang <yang.yang29@zte.com.cn>
Userspace may use syscall with invalid syscall number by calling
syscall(syscall_num,..). For example we found openSSH may use
syscall with syscall number is -1 in some case. When that happens
we better do a quick handle no need to gohead.
Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
Reported-by: Zeal Robot <zealci@zte.com.cn>
---
v2:
- fix compile error of arch/alpha, I have no alpha compile environment, so this fix
- is done by code review.
---
arch/alpha/include/uapi/asm/unistd.h | 1 +
kernel/auditsc.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/alpha/include/uapi/asm/unistd.h b/arch/alpha/include/uapi/asm/unistd.h
index 71fd5db06866..8115062216e4 100644
--- a/arch/alpha/include/uapi/asm/unistd.h
+++ b/arch/alpha/include/uapi/asm/unistd.h
@@ -13,5 +13,6 @@
#define __NR_getgid __NR_getxgid
#include <asm/unistd_32.h>
+#include <asm-generic/unistd.h>
#endif /* _UAPI_ALPHA_UNISTD_H */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ea2ee1181921..ea4915999e01 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2077,7 +2077,8 @@ void __audit_syscall_exit(int success, long return_code)
struct audit_context *context = audit_context();
if (!context || context->dummy ||
- context->context != AUDIT_CTX_SYSCALL)
+ context->context != AUDIT_CTX_SYSCALL ||
+ unlikely(context->major < 0 || context->major >= NR_syscalls))
goto out;
/* this may generate CONFIG_CHANGE records */
--
2.25.1
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related
* Re: [PATCH v2] audit: do a quick exit when syscall number is invalid
From: kernel test robot @ 2022-03-28 15:19 UTC (permalink / raw)
To: cgel.zte, rth, ink, mattst88, paul, eparis, linux-audit
Cc: Yang Yang, Zeal Robot, kbuild-all, linux-kernel
In-Reply-To: <20220328054641.2372974-1-yang.yang29@zte.com.cn>
Hi,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on pcmoore-audit/next]
[also build test WARNING on linus/master v5.17 next-20220328]
[cannot apply to mattst88-alpha/for-linus]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/intel-lab-lkp/linux/commits/cgel-zte-gmail-com/audit-do-a-quick-exit-when-syscall-number-is-invalid/20220328-140250
base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
config: alpha-alldefconfig (https://download.01.org/0day-ci/archive/20220328/202203282351.MEKxtuyE-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/6459e446233463392d6268ee2154ed9f20c0b82c
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review cgel-zte-gmail-com/audit-do-a-quick-exit-when-syscall-number-is-invalid/20220328-140250
git checkout 6459e446233463392d6268ee2154ed9f20c0b82c
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=alpha prepare
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:33: warning: "__NR_io_setup" redefined
33 | #define __NR_io_setup 0
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:323: note: this is the location of the previous definition
323 | #define __NR_io_setup 398
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:35: warning: "__NR_io_destroy" redefined
35 | #define __NR_io_destroy 1
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:324: note: this is the location of the previous definition
324 | #define __NR_io_destroy 399
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:37: warning: "__NR_io_submit" redefined
37 | #define __NR_io_submit 2
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:326: note: this is the location of the previous definition
326 | #define __NR_io_submit 401
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:39: warning: "__NR_io_cancel" redefined
39 | #define __NR_io_cancel 3
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:327: note: this is the location of the previous definition
327 | #define __NR_io_cancel 402
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:42: warning: "__NR_io_getevents" redefined
42 | #define __NR_io_getevents 4
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:325: note: this is the location of the previous definition
325 | #define __NR_io_getevents 400
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:47: warning: "__NR_setxattr" redefined
47 | #define __NR_setxattr 5
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:307: note: this is the location of the previous definition
307 | #define __NR_setxattr 382
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:49: warning: "__NR_lsetxattr" redefined
49 | #define __NR_lsetxattr 6
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:308: note: this is the location of the previous definition
308 | #define __NR_lsetxattr 383
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:51: warning: "__NR_fsetxattr" redefined
51 | #define __NR_fsetxattr 7
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:309: note: this is the location of the previous definition
309 | #define __NR_fsetxattr 384
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:53: warning: "__NR_getxattr" redefined
53 | #define __NR_getxattr 8
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:310: note: this is the location of the previous definition
310 | #define __NR_getxattr 385
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:55: warning: "__NR_lgetxattr" redefined
55 | #define __NR_lgetxattr 9
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:311: note: this is the location of the previous definition
311 | #define __NR_lgetxattr 386
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:57: warning: "__NR_fgetxattr" redefined
57 | #define __NR_fgetxattr 10
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:312: note: this is the location of the previous definition
312 | #define __NR_fgetxattr 387
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:59: warning: "__NR_listxattr" redefined
59 | #define __NR_listxattr 11
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:313: note: this is the location of the previous definition
313 | #define __NR_listxattr 388
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:61: warning: "__NR_llistxattr" redefined
61 | #define __NR_llistxattr 12
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:314: note: this is the location of the previous definition
314 | #define __NR_llistxattr 389
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:63: warning: "__NR_flistxattr" redefined
63 | #define __NR_flistxattr 13
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:315: note: this is the location of the previous definition
315 | #define __NR_flistxattr 390
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:65: warning: "__NR_removexattr" redefined
65 | #define __NR_removexattr 14
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:316: note: this is the location of the previous definition
316 | #define __NR_removexattr 391
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:67: warning: "__NR_lremovexattr" redefined
67 | #define __NR_lremovexattr 15
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:317: note: this is the location of the previous definition
317 | #define __NR_lremovexattr 392
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:69: warning: "__NR_fremovexattr" redefined
69 | #define __NR_fremovexattr 16
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:318: note: this is the location of the previous definition
318 | #define __NR_fremovexattr 393
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:73: warning: "__NR_getcwd" redefined
73 | #define __NR_getcwd 17
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:293: note: this is the location of the previous definition
293 | #define __NR_getcwd 367
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:77: warning: "__NR_lookup_dcookie" redefined
77 | #define __NR_lookup_dcookie 18
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:329: note: this is the location of the previous definition
329 | #define __NR_lookup_dcookie 406
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
>> include/uapi/asm-generic/unistd.h:81: warning: "__NR_eventfd2" redefined
81 | #define __NR_eventfd2 19
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:408: note: this is the location of the previous definition
408 | #define __NR_eventfd2 485
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
include/uapi/asm-generic/unistd.h:85: warning: "__NR_epoll_create1" redefined
85 | #define __NR_epoll_create1 20
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:409: note: this is the location of the previous definition
409 | #define __NR_epoll_create1 486
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
include/uapi/asm-generic/unistd.h:87: warning: "__NR_epoll_ctl" redefined
87 | #define __NR_epoll_ctl 21
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:331: note: this is the location of the previous definition
331 | #define __NR_epoll_ctl 408
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
include/uapi/asm-generic/unistd.h:89: warning: "__NR_epoll_pwait" redefined
89 | #define __NR_epoll_pwait 22
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:397: note: this is the location of the previous definition
397 | #define __NR_epoll_pwait 474
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
include/uapi/asm-generic/unistd.h:93: warning: "__NR_dup" redefined
93 | #define __NR_dup 23
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:45: note: this is the location of the previous definition
45 | #define __NR_dup 41
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
include/uapi/asm-generic/unistd.h:95: warning: "__NR_dup3" redefined
95 | #define __NR_dup3 24
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:410: note: this is the location of the previous definition
410 | #define __NR_dup3 487
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
include/uapi/asm-generic/unistd.h:101: warning: "__NR_inotify_init1" redefined
101 | #define __NR_inotify_init1 26
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:412: note: this is the location of the previous definition
412 | #define __NR_inotify_init1 489
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
include/uapi/asm-generic/unistd.h:103: warning: "__NR_inotify_add_watch" redefined
103 | #define __NR_inotify_add_watch 27
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
./arch/alpha/include/generated/uapi/asm/unistd_32.h:368: note: this is the location of the previous definition
368 | #define __NR_inotify_add_watch 445
|
In file included from arch/alpha/include/uapi/asm/unistd.h:16,
from arch/alpha/include/asm/unistd.h:5,
from <stdin>:2:
include/uapi/asm-generic/unistd.h:105: warning: "__NR_inotify_rm_watch" redefined
105 | #define __NR_inotify_rm_watch 28
|
In file included from arch/alpha/include/uapi/asm/unistd.h:15,
from arch/alpha/include/asm/unistd.h:5,
..
vim +/__NR_io_setup +33 include/uapi/asm-generic/unistd.h
8a1ab3155c2ac7 David Howells 2012-10-04 32
8a1ab3155c2ac7 David Howells 2012-10-04 @33 #define __NR_io_setup 0
8a1ab3155c2ac7 David Howells 2012-10-04 34 __SC_COMP(__NR_io_setup, sys_io_setup, compat_sys_io_setup)
8a1ab3155c2ac7 David Howells 2012-10-04 @35 #define __NR_io_destroy 1
8a1ab3155c2ac7 David Howells 2012-10-04 36 __SYSCALL(__NR_io_destroy, sys_io_destroy)
8a1ab3155c2ac7 David Howells 2012-10-04 @37 #define __NR_io_submit 2
8a1ab3155c2ac7 David Howells 2012-10-04 38 __SC_COMP(__NR_io_submit, sys_io_submit, compat_sys_io_submit)
8a1ab3155c2ac7 David Howells 2012-10-04 @39 #define __NR_io_cancel 3
8a1ab3155c2ac7 David Howells 2012-10-04 40 __SYSCALL(__NR_io_cancel, sys_io_cancel)
c8ce48f06503ee Arnd Bergmann 2019-02-18 41 #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32
8a1ab3155c2ac7 David Howells 2012-10-04 @42 #define __NR_io_getevents 4
00bf25d693e7f6 Arnd Bergmann 2019-01-01 43 __SC_3264(__NR_io_getevents, sys_io_getevents_time32, sys_io_getevents)
c8ce48f06503ee Arnd Bergmann 2019-02-18 44 #endif
8a1ab3155c2ac7 David Howells 2012-10-04 45
8a1ab3155c2ac7 David Howells 2012-10-04 46 /* fs/xattr.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @47 #define __NR_setxattr 5
8a1ab3155c2ac7 David Howells 2012-10-04 48 __SYSCALL(__NR_setxattr, sys_setxattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @49 #define __NR_lsetxattr 6
8a1ab3155c2ac7 David Howells 2012-10-04 50 __SYSCALL(__NR_lsetxattr, sys_lsetxattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @51 #define __NR_fsetxattr 7
8a1ab3155c2ac7 David Howells 2012-10-04 52 __SYSCALL(__NR_fsetxattr, sys_fsetxattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @53 #define __NR_getxattr 8
8a1ab3155c2ac7 David Howells 2012-10-04 54 __SYSCALL(__NR_getxattr, sys_getxattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @55 #define __NR_lgetxattr 9
8a1ab3155c2ac7 David Howells 2012-10-04 56 __SYSCALL(__NR_lgetxattr, sys_lgetxattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @57 #define __NR_fgetxattr 10
8a1ab3155c2ac7 David Howells 2012-10-04 58 __SYSCALL(__NR_fgetxattr, sys_fgetxattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @59 #define __NR_listxattr 11
8a1ab3155c2ac7 David Howells 2012-10-04 60 __SYSCALL(__NR_listxattr, sys_listxattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @61 #define __NR_llistxattr 12
8a1ab3155c2ac7 David Howells 2012-10-04 62 __SYSCALL(__NR_llistxattr, sys_llistxattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @63 #define __NR_flistxattr 13
8a1ab3155c2ac7 David Howells 2012-10-04 64 __SYSCALL(__NR_flistxattr, sys_flistxattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @65 #define __NR_removexattr 14
8a1ab3155c2ac7 David Howells 2012-10-04 66 __SYSCALL(__NR_removexattr, sys_removexattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @67 #define __NR_lremovexattr 15
8a1ab3155c2ac7 David Howells 2012-10-04 68 __SYSCALL(__NR_lremovexattr, sys_lremovexattr)
8a1ab3155c2ac7 David Howells 2012-10-04 @69 #define __NR_fremovexattr 16
8a1ab3155c2ac7 David Howells 2012-10-04 70 __SYSCALL(__NR_fremovexattr, sys_fremovexattr)
8a1ab3155c2ac7 David Howells 2012-10-04 71
8a1ab3155c2ac7 David Howells 2012-10-04 72 /* fs/dcache.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @73 #define __NR_getcwd 17
8a1ab3155c2ac7 David Howells 2012-10-04 74 __SYSCALL(__NR_getcwd, sys_getcwd)
8a1ab3155c2ac7 David Howells 2012-10-04 75
8a1ab3155c2ac7 David Howells 2012-10-04 76 /* fs/cookies.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @77 #define __NR_lookup_dcookie 18
8a1ab3155c2ac7 David Howells 2012-10-04 78 __SC_COMP(__NR_lookup_dcookie, sys_lookup_dcookie, compat_sys_lookup_dcookie)
8a1ab3155c2ac7 David Howells 2012-10-04 79
8a1ab3155c2ac7 David Howells 2012-10-04 80 /* fs/eventfd.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @81 #define __NR_eventfd2 19
8a1ab3155c2ac7 David Howells 2012-10-04 82 __SYSCALL(__NR_eventfd2, sys_eventfd2)
8a1ab3155c2ac7 David Howells 2012-10-04 83
8a1ab3155c2ac7 David Howells 2012-10-04 84 /* fs/eventpoll.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @85 #define __NR_epoll_create1 20
8a1ab3155c2ac7 David Howells 2012-10-04 86 __SYSCALL(__NR_epoll_create1, sys_epoll_create1)
8a1ab3155c2ac7 David Howells 2012-10-04 @87 #define __NR_epoll_ctl 21
8a1ab3155c2ac7 David Howells 2012-10-04 88 __SYSCALL(__NR_epoll_ctl, sys_epoll_ctl)
8a1ab3155c2ac7 David Howells 2012-10-04 @89 #define __NR_epoll_pwait 22
8a1ab3155c2ac7 David Howells 2012-10-04 90 __SC_COMP(__NR_epoll_pwait, sys_epoll_pwait, compat_sys_epoll_pwait)
8a1ab3155c2ac7 David Howells 2012-10-04 91
8a1ab3155c2ac7 David Howells 2012-10-04 92 /* fs/fcntl.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @93 #define __NR_dup 23
8a1ab3155c2ac7 David Howells 2012-10-04 94 __SYSCALL(__NR_dup, sys_dup)
8a1ab3155c2ac7 David Howells 2012-10-04 @95 #define __NR_dup3 24
8a1ab3155c2ac7 David Howells 2012-10-04 96 __SYSCALL(__NR_dup3, sys_dup3)
8a1ab3155c2ac7 David Howells 2012-10-04 97 #define __NR3264_fcntl 25
8a1ab3155c2ac7 David Howells 2012-10-04 98 __SC_COMP_3264(__NR3264_fcntl, sys_fcntl64, sys_fcntl, compat_sys_fcntl64)
8a1ab3155c2ac7 David Howells 2012-10-04 99
8a1ab3155c2ac7 David Howells 2012-10-04 100 /* fs/inotify_user.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @101 #define __NR_inotify_init1 26
8a1ab3155c2ac7 David Howells 2012-10-04 102 __SYSCALL(__NR_inotify_init1, sys_inotify_init1)
8a1ab3155c2ac7 David Howells 2012-10-04 @103 #define __NR_inotify_add_watch 27
8a1ab3155c2ac7 David Howells 2012-10-04 104 __SYSCALL(__NR_inotify_add_watch, sys_inotify_add_watch)
8a1ab3155c2ac7 David Howells 2012-10-04 @105 #define __NR_inotify_rm_watch 28
8a1ab3155c2ac7 David Howells 2012-10-04 106 __SYSCALL(__NR_inotify_rm_watch, sys_inotify_rm_watch)
8a1ab3155c2ac7 David Howells 2012-10-04 107
8a1ab3155c2ac7 David Howells 2012-10-04 108 /* fs/ioctl.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @109 #define __NR_ioctl 29
8a1ab3155c2ac7 David Howells 2012-10-04 110 __SC_COMP(__NR_ioctl, sys_ioctl, compat_sys_ioctl)
8a1ab3155c2ac7 David Howells 2012-10-04 111
8a1ab3155c2ac7 David Howells 2012-10-04 112 /* fs/ioprio.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @113 #define __NR_ioprio_set 30
8a1ab3155c2ac7 David Howells 2012-10-04 114 __SYSCALL(__NR_ioprio_set, sys_ioprio_set)
8a1ab3155c2ac7 David Howells 2012-10-04 @115 #define __NR_ioprio_get 31
8a1ab3155c2ac7 David Howells 2012-10-04 116 __SYSCALL(__NR_ioprio_get, sys_ioprio_get)
8a1ab3155c2ac7 David Howells 2012-10-04 117
8a1ab3155c2ac7 David Howells 2012-10-04 118 /* fs/locks.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @119 #define __NR_flock 32
8a1ab3155c2ac7 David Howells 2012-10-04 120 __SYSCALL(__NR_flock, sys_flock)
8a1ab3155c2ac7 David Howells 2012-10-04 121
8a1ab3155c2ac7 David Howells 2012-10-04 122 /* fs/namei.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @123 #define __NR_mknodat 33
8a1ab3155c2ac7 David Howells 2012-10-04 124 __SYSCALL(__NR_mknodat, sys_mknodat)
8a1ab3155c2ac7 David Howells 2012-10-04 @125 #define __NR_mkdirat 34
8a1ab3155c2ac7 David Howells 2012-10-04 126 __SYSCALL(__NR_mkdirat, sys_mkdirat)
8a1ab3155c2ac7 David Howells 2012-10-04 @127 #define __NR_unlinkat 35
8a1ab3155c2ac7 David Howells 2012-10-04 128 __SYSCALL(__NR_unlinkat, sys_unlinkat)
8a1ab3155c2ac7 David Howells 2012-10-04 @129 #define __NR_symlinkat 36
8a1ab3155c2ac7 David Howells 2012-10-04 130 __SYSCALL(__NR_symlinkat, sys_symlinkat)
8a1ab3155c2ac7 David Howells 2012-10-04 @131 #define __NR_linkat 37
8a1ab3155c2ac7 David Howells 2012-10-04 132 __SYSCALL(__NR_linkat, sys_linkat)
b0da6d44157aa6 James Hogan 2016-04-29 133 #ifdef __ARCH_WANT_RENAMEAT
b0da6d44157aa6 James Hogan 2016-04-29 134 /* renameat is superseded with flags by renameat2 */
8a1ab3155c2ac7 David Howells 2012-10-04 135 #define __NR_renameat 38
8a1ab3155c2ac7 David Howells 2012-10-04 136 __SYSCALL(__NR_renameat, sys_renameat)
b0da6d44157aa6 James Hogan 2016-04-29 137 #endif /* __ARCH_WANT_RENAMEAT */
8a1ab3155c2ac7 David Howells 2012-10-04 138
8a1ab3155c2ac7 David Howells 2012-10-04 139 /* fs/namespace.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @140 #define __NR_umount2 39
8a1ab3155c2ac7 David Howells 2012-10-04 141 __SYSCALL(__NR_umount2, sys_umount)
8a1ab3155c2ac7 David Howells 2012-10-04 @142 #define __NR_mount 40
028abd9222df0c Christoph Hellwig 2020-09-17 143 __SYSCALL(__NR_mount, sys_mount)
8a1ab3155c2ac7 David Howells 2012-10-04 @144 #define __NR_pivot_root 41
8a1ab3155c2ac7 David Howells 2012-10-04 145 __SYSCALL(__NR_pivot_root, sys_pivot_root)
8a1ab3155c2ac7 David Howells 2012-10-04 146
8a1ab3155c2ac7 David Howells 2012-10-04 147 /* fs/nfsctl.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @148 #define __NR_nfsservctl 42
8a1ab3155c2ac7 David Howells 2012-10-04 149 __SYSCALL(__NR_nfsservctl, sys_ni_syscall)
8a1ab3155c2ac7 David Howells 2012-10-04 150
8a1ab3155c2ac7 David Howells 2012-10-04 151 /* fs/open.c */
8a1ab3155c2ac7 David Howells 2012-10-04 152 #define __NR3264_statfs 43
8a1ab3155c2ac7 David Howells 2012-10-04 153 __SC_COMP_3264(__NR3264_statfs, sys_statfs64, sys_statfs, \
8a1ab3155c2ac7 David Howells 2012-10-04 154 compat_sys_statfs64)
8a1ab3155c2ac7 David Howells 2012-10-04 155 #define __NR3264_fstatfs 44
8a1ab3155c2ac7 David Howells 2012-10-04 156 __SC_COMP_3264(__NR3264_fstatfs, sys_fstatfs64, sys_fstatfs, \
8a1ab3155c2ac7 David Howells 2012-10-04 157 compat_sys_fstatfs64)
8a1ab3155c2ac7 David Howells 2012-10-04 158 #define __NR3264_truncate 45
8a1ab3155c2ac7 David Howells 2012-10-04 159 __SC_COMP_3264(__NR3264_truncate, sys_truncate64, sys_truncate, \
8a1ab3155c2ac7 David Howells 2012-10-04 160 compat_sys_truncate64)
8a1ab3155c2ac7 David Howells 2012-10-04 161 #define __NR3264_ftruncate 46
8a1ab3155c2ac7 David Howells 2012-10-04 162 __SC_COMP_3264(__NR3264_ftruncate, sys_ftruncate64, sys_ftruncate, \
8a1ab3155c2ac7 David Howells 2012-10-04 163 compat_sys_ftruncate64)
8a1ab3155c2ac7 David Howells 2012-10-04 164
8a1ab3155c2ac7 David Howells 2012-10-04 @165 #define __NR_fallocate 47
8a1ab3155c2ac7 David Howells 2012-10-04 166 __SC_COMP(__NR_fallocate, sys_fallocate, compat_sys_fallocate)
8a1ab3155c2ac7 David Howells 2012-10-04 @167 #define __NR_faccessat 48
8a1ab3155c2ac7 David Howells 2012-10-04 168 __SYSCALL(__NR_faccessat, sys_faccessat)
8a1ab3155c2ac7 David Howells 2012-10-04 @169 #define __NR_chdir 49
8a1ab3155c2ac7 David Howells 2012-10-04 170 __SYSCALL(__NR_chdir, sys_chdir)
8a1ab3155c2ac7 David Howells 2012-10-04 @171 #define __NR_fchdir 50
8a1ab3155c2ac7 David Howells 2012-10-04 172 __SYSCALL(__NR_fchdir, sys_fchdir)
8a1ab3155c2ac7 David Howells 2012-10-04 @173 #define __NR_chroot 51
8a1ab3155c2ac7 David Howells 2012-10-04 174 __SYSCALL(__NR_chroot, sys_chroot)
8a1ab3155c2ac7 David Howells 2012-10-04 @175 #define __NR_fchmod 52
8a1ab3155c2ac7 David Howells 2012-10-04 176 __SYSCALL(__NR_fchmod, sys_fchmod)
8a1ab3155c2ac7 David Howells 2012-10-04 @177 #define __NR_fchmodat 53
8a1ab3155c2ac7 David Howells 2012-10-04 178 __SYSCALL(__NR_fchmodat, sys_fchmodat)
8a1ab3155c2ac7 David Howells 2012-10-04 @179 #define __NR_fchownat 54
8a1ab3155c2ac7 David Howells 2012-10-04 180 __SYSCALL(__NR_fchownat, sys_fchownat)
8a1ab3155c2ac7 David Howells 2012-10-04 @181 #define __NR_fchown 55
8a1ab3155c2ac7 David Howells 2012-10-04 182 __SYSCALL(__NR_fchown, sys_fchown)
8a1ab3155c2ac7 David Howells 2012-10-04 @183 #define __NR_openat 56
0d0216c03a7a14 Yury Norov 2018-05-16 184 __SYSCALL(__NR_openat, sys_openat)
8a1ab3155c2ac7 David Howells 2012-10-04 @185 #define __NR_close 57
8a1ab3155c2ac7 David Howells 2012-10-04 186 __SYSCALL(__NR_close, sys_close)
8a1ab3155c2ac7 David Howells 2012-10-04 @187 #define __NR_vhangup 58
8a1ab3155c2ac7 David Howells 2012-10-04 188 __SYSCALL(__NR_vhangup, sys_vhangup)
8a1ab3155c2ac7 David Howells 2012-10-04 189
8a1ab3155c2ac7 David Howells 2012-10-04 190 /* fs/pipe.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @191 #define __NR_pipe2 59
8a1ab3155c2ac7 David Howells 2012-10-04 192 __SYSCALL(__NR_pipe2, sys_pipe2)
8a1ab3155c2ac7 David Howells 2012-10-04 193
8a1ab3155c2ac7 David Howells 2012-10-04 194 /* fs/quota.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @195 #define __NR_quotactl 60
8a1ab3155c2ac7 David Howells 2012-10-04 196 __SYSCALL(__NR_quotactl, sys_quotactl)
8a1ab3155c2ac7 David Howells 2012-10-04 197
8a1ab3155c2ac7 David Howells 2012-10-04 198 /* fs/readdir.c */
8a1ab3155c2ac7 David Howells 2012-10-04 @199 #define __NR_getdents64 61
2611dc19395697 Al Viro 2017-04-08 200 __SYSCALL(__NR_getdents64, sys_getdents64)
8a1ab3155c2ac7 David Howells 2012-10-04 201
8a1ab3155c2ac7 David Howells 2012-10-04 202 /* fs/read_write.c */
8a1ab3155c2ac7 David Howells 2012-10-04 203 #define __NR3264_lseek 62
8a1ab3155c2ac7 David Howells 2012-10-04 204 __SC_3264(__NR3264_lseek, sys_llseek, sys_lseek)
8a1ab3155c2ac7 David Howells 2012-10-04 @205 #define __NR_read 63
8a1ab3155c2ac7 David Howells 2012-10-04 206 __SYSCALL(__NR_read, sys_read)
8a1ab3155c2ac7 David Howells 2012-10-04 @207 #define __NR_write 64
8a1ab3155c2ac7 David Howells 2012-10-04 208 __SYSCALL(__NR_write, sys_write)
8a1ab3155c2ac7 David Howells 2012-10-04 @209 #define __NR_readv 65
5f764d624a89d4 Christoph Hellwig 2020-09-25 210 __SC_COMP(__NR_readv, sys_readv, sys_readv)
8a1ab3155c2ac7 David Howells 2012-10-04 @211 #define __NR_writev 66
5f764d624a89d4 Christoph Hellwig 2020-09-25 212 __SC_COMP(__NR_writev, sys_writev, sys_writev)
8a1ab3155c2ac7 David Howells 2012-10-04 @213 #define __NR_pread64 67
8a1ab3155c2ac7 David Howells 2012-10-04 214 __SC_COMP(__NR_pread64, sys_pread64, compat_sys_pread64)
8a1ab3155c2ac7 David Howells 2012-10-04 @215 #define __NR_pwrite64 68
8a1ab3155c2ac7 David Howells 2012-10-04 216 __SC_COMP(__NR_pwrite64, sys_pwrite64, compat_sys_pwrite64)
8a1ab3155c2ac7 David Howells 2012-10-04 @217 #define __NR_preadv 69
8a1ab3155c2ac7 David Howells 2012-10-04 218 __SC_COMP(__NR_preadv, sys_preadv, compat_sys_preadv)
8a1ab3155c2ac7 David Howells 2012-10-04 @219 #define __NR_pwritev 70
8a1ab3155c2ac7 David Howells 2012-10-04 220 __SC_COMP(__NR_pwritev, sys_pwritev, compat_sys_pwritev)
8a1ab3155c2ac7 David Howells 2012-10-04 221
8a1ab3155c2ac7 David Howells 2012-10-04 222 /* fs/sendfile.c */
8a1ab3155c2ac7 David Howells 2012-10-04 223 #define __NR3264_sendfile 71
8a1ab3155c2ac7 David Howells 2012-10-04 224 __SYSCALL(__NR3264_sendfile, sys_sendfile64)
8a1ab3155c2ac7 David Howells 2012-10-04 225
8a1ab3155c2ac7 David Howells 2012-10-04 226 /* fs/select.c */
c8ce48f06503ee Arnd Bergmann 2019-02-18 227 #if defined(__ARCH_WANT_TIME32_SYSCALLS) || __BITS_PER_LONG != 32
8a1ab3155c2ac7 David Howells 2012-10-04 @228 #define __NR_pselect6 72
00bf25d693e7f6 Arnd Bergmann 2019-01-01 229 __SC_COMP_3264(__NR_pselect6, sys_pselect6_time32, sys_pselect6, compat_sys_pselect6_time32)
8a1ab3155c2ac7 David Howells 2012-10-04 @230 #define __NR_ppoll 73
00bf25d693e7f6 Arnd Bergmann 2019-01-01 231 __SC_COMP_3264(__NR_ppoll, sys_ppoll_time32, sys_ppoll, compat_sys_ppoll_time32)
c8ce48f06503ee Arnd Bergmann 2019-02-18 232 #endif
8a1ab3155c2ac7 David Howells 2012-10-04 233
--
0-DAY CI Kernel Test Service
https://01.org/lkp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: CGEL @ 2022-03-29 1:48 UTC (permalink / raw)
To: rth, ink, mattst88, paul
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, Yang Yang,
linux-audit
In-Reply-To: <202203270449.WBYQF9X3-lkp@intel.com>
On Sun, Mar 27, 2022 at 04:55:01AM +0800, kernel test robot wrote:
> Hi,
>
> Thank you for the patch! Yet something to improve:
>
> [auto build test ERROR on pcmoore-audit/next]
> [also build test ERROR on v5.17 next-20220325]
> [If your patch is applied to the wrong git tree, kindly drop us a note.
> And when submitting patch, we suggest to use '--base' as documented in
> https://git-scm.com/docs/git-format-patch]
>
> url: https://github.com/intel-lab-lkp/linux/commits/cgel-zte-gmail-com/audit-do-a-quick-exit-when-syscall-number-is-invalid/20220326-174904
> base: https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
> config: alpha-allyesconfig (https://download.01.org/0day-ci/archive/20220327/202203270449.WBYQF9X3-lkp@intel.com/config)
> compiler: alpha-linux-gcc (GCC) 11.2.0
> reproduce (this is a W=1 build):
> wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
> chmod +x ~/bin/make.cross
> # https://github.com/intel-lab-lkp/linux/commit/052b1a11a0bec23358ecc22ad9b085590efd3057
> git remote add linux-review https://github.com/intel-lab-lkp/linux
> git fetch --no-tags linux-review cgel-zte-gmail-com/audit-do-a-quick-exit-when-syscall-number-is-invalid/20220326-174904
> git checkout 052b1a11a0bec23358ecc22ad9b085590efd3057
> # save the config file to linux build tree
> mkdir build_dir
> COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=alpha SHELL=/bin/bash
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
>
> All errors (new ones prefixed by >>):
>
> In file included from include/linux/init.h:5,
> from kernel/auditsc.c:34:
> kernel/auditsc.c: In function '__audit_syscall_exit':
> >> kernel/auditsc.c:2081:61: error: 'NR_syscalls' undeclared (first use in this function); did you mean 'si_syscall'?
> 2081 | unlikely(context->major < 0 || context->major > NR_syscalls))
> | ^~~~~~~~~~~
Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64.
I have no alpha environment and not familiar to this arch, much thanks!
> include/linux/compiler.h:78:45: note: in definition of macro 'unlikely'
> 78 | # define unlikely(x) __builtin_expect(!!(x), 0)
> | ^
> kernel/auditsc.c:2081:61: note: each undeclared identifier is reported only once for each function it appears in
> 2081 | unlikely(context->major < 0 || context->major > NR_syscalls))
> | ^~~~~~~~~~~
> include/linux/compiler.h:78:45: note: in definition of macro 'unlikely'
> 78 | # define unlikely(x) __builtin_expect(!!(x), 0)
> | ^
>
>
> vim +2081 kernel/auditsc.c
>
> 2063
> 2064 /**
> 2065 * __audit_syscall_exit - deallocate audit context after a system call
> 2066 * @success: success value of the syscall
> 2067 * @return_code: return value of the syscall
> 2068 *
> 2069 * Tear down after system call. If the audit context has been marked as
> 2070 * auditable (either because of the AUDIT_STATE_RECORD state from
> 2071 * filtering, or because some other part of the kernel wrote an audit
> 2072 * message), then write out the syscall information. In call cases,
> 2073 * free the names stored from getname().
> 2074 */
> 2075 void __audit_syscall_exit(int success, long return_code)
> 2076 {
> 2077 struct audit_context *context = audit_context();
> 2078
> 2079 if (!context || context->dummy ||
> 2080 context->context != AUDIT_CTX_SYSCALL ||
> > 2081 unlikely(context->major < 0 || context->major > NR_syscalls))
> 2082 goto out;
> 2083
> 2084 /* this may generate CONFIG_CHANGE records */
> 2085 if (!list_empty(&context->killed_trees))
> 2086 audit_kill_trees(context);
> 2087
> 2088 /* run through both filters to ensure we set the filterkey properly */
> 2089 audit_filter_syscall(current, context);
> 2090 audit_filter_inodes(current, context);
> 2091 if (context->current_state < AUDIT_STATE_RECORD)
> 2092 goto out;
> 2093
> 2094 audit_return_fixup(context, success, return_code);
> 2095 audit_log_exit();
> 2096
> 2097 out:
> 2098 audit_reset_context(context);
> 2099 }
> 2100
>
> --
> 0-DAY CI Kernel Test Service
> https://01.org/lkp
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Enzo Matsumiya @ 2022-03-29 2:19 UTC (permalink / raw)
To: CGEL
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, Yang Yang,
linux-audit, ink, mattst88, rth
In-Reply-To: <62426553.1c69fb81.bb808.345c@mx.google.com>
On 03/29, CGEL wrote:
>> In file included from include/linux/init.h:5,
>> from kernel/auditsc.c:34:
>> kernel/auditsc.c: In function '__audit_syscall_exit':
>> >> kernel/auditsc.c:2081:61: error: 'NR_syscalls' undeclared (first use in this function); did you mean 'si_syscall'?
>> 2081 | unlikely(context->major < 0 || context->major > NR_syscalls))
>> | ^~~~~~~~~~~
>
>Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64.
>I have no alpha environment and not familiar to this arch, much thanks!
Sorry, no experience either, but from a quick look at arch/alpha/include/asm/unistd.h
shows that it's called NR_SYSCALLS for alpha arch, for whatever reason.
HTH
Enzo
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Paul Moore @ 2022-03-29 3:06 UTC (permalink / raw)
To: CGEL
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, Yang Yang,
linux-audit, ink, mattst88, rth
In-Reply-To: <62426553.1c69fb81.bb808.345c@mx.google.com>
On Mon, Mar 28, 2022 at 9:48 PM CGEL <cgel.zte@gmail.com> wrote:
> Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64.
> I have no alpha environment and not familiar to this arch, much thanks!
Regardless of if this is fixed, I'm not convinced this is something we
want to merge. After all, a process executed a syscall and we should
process it like any other; just because it happens to be an
unrecognized syscall on a particular kernel build doesn't mean it
isn't security relevant (probing for specific syscall numbers may be a
useful attack fingerprint).
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: CGEL @ 2022-03-29 3:22 UTC (permalink / raw)
To: Paul Moore
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, Yang Yang,
linux-audit, ink, mattst88, rth
In-Reply-To: <CAHC9VhRNuoPH6AySUbe6h2D6kghhezyVQtTAvm-t-fTpXH6XwQ@mail.gmail.com>
On Mon, Mar 28, 2022 at 11:06:12PM -0400, Paul Moore wrote:
> On Mon, Mar 28, 2022 at 9:48 PM CGEL <cgel.zte@gmail.com> wrote:
> > Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64.
> > I have no alpha environment and not familiar to this arch, much thanks!
>
> Regardless of if this is fixed, I'm not convinced this is something we
> want to merge. After all, a process executed a syscall and we should
> process it like any other; just because it happens to be an
> unrecognized syscall on a particular kernel build doesn't mean it
> isn't security relevant (probing for specific syscall numbers may be a
> useful attack fingerprint).
>
Thanks for your reply.
But syscall number less than 0 is even invalid for auditctl. So we
will never hit this kind of audit rule. And invalid syscall number
will always cause failure early in syscall handle.
sh-4.2# auditctl -a always,exit -F arch=b64 -S -1
Syscall name unknown: -1
> --
> paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Paul Moore @ 2022-03-29 13:11 UTC (permalink / raw)
To: CGEL
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, Yang Yang,
linux-audit, ink, mattst88, rth
In-Reply-To: <62427b5c.1c69fb81.fc2a7.d1af@mx.google.com>
On Mon, Mar 28, 2022 at 11:22 PM CGEL <cgel.zte@gmail.com> wrote:
> On Mon, Mar 28, 2022 at 11:06:12PM -0400, Paul Moore wrote:
> > On Mon, Mar 28, 2022 at 9:48 PM CGEL <cgel.zte@gmail.com> wrote:
> > > Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64.
> > > I have no alpha environment and not familiar to this arch, much thanks!
> >
> > Regardless of if this is fixed, I'm not convinced this is something we
> > want to merge. After all, a process executed a syscall and we should
> > process it like any other; just because it happens to be an
> > unrecognized syscall on a particular kernel build doesn't mean it
> > isn't security relevant (probing for specific syscall numbers may be a
> > useful attack fingerprint).
>
> Thanks for your reply.
>
> But syscall number less than 0 is even invalid for auditctl. So we
> will never hit this kind of audit rule. And invalid syscall number
> will always cause failure early in syscall handle.
>
> sh-4.2# auditctl -a always,exit -F arch=b64 -S -1
> Syscall name unknown: -1
You can add an audit filter without explicitly specifying a syscall:
% auditctl -a exit,always -F auid=1000
% auditctl -l
-a always,exit -S all -F auid=1000
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* audit-3.0.8 released
From: Steve Grubb @ 2022-03-29 21:55 UTC (permalink / raw)
To: Linux Audit
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Add gcc function attributes for access and allocation
- Add some more man pages (MIZUTA Takeshi)
- In auditd, change the reinitializing of the plugin queue
- Fix path normalization in auparse (Sergio Correia)
- In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo
Matsumiya)
- In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
- Drop ProtectHome from auditd.service as it interferes with rules
The main driver for this release is that there are a number of bugs that have
been discovered recently. Some of these have been there for a while such as
the ProtectHome systemd option. The big take away is anyone adding lots of
systemd hardening options might have some very hard to debug problems.
There was a problem with the plugin queue where a certain combination of
adding/removing plugins with the queue overflowing caused the queue to not
restart like it should.
The path normalization issue was causing path's not to be returned when
interpreted.
SHA256: b5f4d9b9ad69381ee18f33d3d918326aa52861509c901143f8a8c4ed5caa8913
Please let me know if you run across any problems with this release.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: CGEL @ 2022-03-30 5:59 UTC (permalink / raw)
To: Paul Moore
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, Yang Yang,
linux-audit, ink, mattst88, rth
In-Reply-To: <CAHC9VhTLTQmHaka9tTyuu=rQOzpsn_K2NxfJ==7-6FSY3KnuFg@mail.gmail.com>
On Tue, Mar 29, 2022 at 09:11:19AM -0400, Paul Moore wrote:
> On Mon, Mar 28, 2022 at 11:22 PM CGEL <cgel.zte@gmail.com> wrote:
> > On Mon, Mar 28, 2022 at 11:06:12PM -0400, Paul Moore wrote:
> > > On Mon, Mar 28, 2022 at 9:48 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64.
> > > > I have no alpha environment and not familiar to this arch, much thanks!
> > >
> > > Regardless of if this is fixed, I'm not convinced this is something we
> > > want to merge. After all, a process executed a syscall and we should
> > > process it like any other; just because it happens to be an
> > > unrecognized syscall on a particular kernel build doesn't mean it
> > > isn't security relevant (probing for specific syscall numbers may be a
> > > useful attack fingerprint).
> >
> > Thanks for your reply.
> >
> > But syscall number less than 0 is even invalid for auditctl. So we
> > will never hit this kind of audit rule. And invalid syscall number
> > will always cause failure early in syscall handle.
> >
> > sh-4.2# auditctl -a always,exit -F arch=b64 -S -1
> > Syscall name unknown: -1
>
> You can add an audit filter without explicitly specifying a syscall:
>
> % auditctl -a exit,always -F auid=1000
> % auditctl -l
> -a always,exit -S all -F auid=1000
>
I have tried this, and execute program which call syscall number is -1,
audit still didn't record it. It supports that there's no need for audit
to handle syscall number less than 0.
sh-4.2# auditctl -a exit,always
sh-4.2# auditctl -l
-a always,exit -S all
> --
> paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Paul Moore @ 2022-03-30 14:48 UTC (permalink / raw)
To: CGEL
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, Yang Yang,
linux-audit, ink, mattst88, rth
In-Reply-To: <6243f1d7.1c69fb81.b19c7.7ec1@mx.google.com>
On Wed, Mar 30, 2022 at 1:59 AM CGEL <cgel.zte@gmail.com> wrote:
> On Tue, Mar 29, 2022 at 09:11:19AM -0400, Paul Moore wrote:
> > On Mon, Mar 28, 2022 at 11:22 PM CGEL <cgel.zte@gmail.com> wrote:
> > > On Mon, Mar 28, 2022 at 11:06:12PM -0400, Paul Moore wrote:
> > > > On Mon, Mar 28, 2022 at 9:48 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64.
> > > > > I have no alpha environment and not familiar to this arch, much thanks!
> > > >
> > > > Regardless of if this is fixed, I'm not convinced this is something we
> > > > want to merge. After all, a process executed a syscall and we should
> > > > process it like any other; just because it happens to be an
> > > > unrecognized syscall on a particular kernel build doesn't mean it
> > > > isn't security relevant (probing for specific syscall numbers may be a
> > > > useful attack fingerprint).
> > >
> > > Thanks for your reply.
> > >
> > > But syscall number less than 0 is even invalid for auditctl. So we
> > > will never hit this kind of audit rule. And invalid syscall number
> > > will always cause failure early in syscall handle.
> > >
> > > sh-4.2# auditctl -a always,exit -F arch=b64 -S -1
> > > Syscall name unknown: -1
> >
> > You can add an audit filter without explicitly specifying a syscall:
> >
> > % auditctl -a exit,always -F auid=1000
> > % auditctl -l
> > -a always,exit -S all -F auid=1000
> >
> I have tried this, and execute program which call syscall number is -1,
> audit still didn't record it. It supports that there's no need for audit
> to handle syscall number less than 0.
>
> sh-4.2# auditctl -a exit,always
> sh-4.2# auditctl -l
> -a always,exit -S all
If audit is not generating SYSCALL records, even for invalid/ENOSYS
syscalls, I would consider that a bug which should be fixed.
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: CGEL @ 2022-03-31 2:29 UTC (permalink / raw)
To: Paul Moore
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88,
rth
In-Reply-To: <CAHC9VhTxACMG=V_J1OYy_7VjM3LjuNJcwJSf6om1eO8esCDAbg@mail.gmail.com>
On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> On Wed, Mar 30, 2022 at 1:59 AM CGEL <cgel.zte@gmail.com> wrote:
> > On Tue, Mar 29, 2022 at 09:11:19AM -0400, Paul Moore wrote:
> > > On Mon, Mar 28, 2022 at 11:22 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > On Mon, Mar 28, 2022 at 11:06:12PM -0400, Paul Moore wrote:
> > > > > On Mon, Mar 28, 2022 at 9:48 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > > Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64.
> > > > > > I have no alpha environment and not familiar to this arch, much thanks!
> > > > >
> > > > > Regardless of if this is fixed, I'm not convinced this is something we
> > > > > want to merge. After all, a process executed a syscall and we should
> > > > > process it like any other; just because it happens to be an
> > > > > unrecognized syscall on a particular kernel build doesn't mean it
> > > > > isn't security relevant (probing for specific syscall numbers may be a
> > > > > useful attack fingerprint).
> > > >
> > > > Thanks for your reply.
> > > >
> > > > But syscall number less than 0 is even invalid for auditctl. So we
> > > > will never hit this kind of audit rule. And invalid syscall number
> > > > will always cause failure early in syscall handle.
> > > >
> > > > sh-4.2# auditctl -a always,exit -F arch=b64 -S -1
> > > > Syscall name unknown: -1
> > >
> > > You can add an audit filter without explicitly specifying a syscall:
> > >
> > > % auditctl -a exit,always -F auid=1000
> > > % auditctl -l
> > > -a always,exit -S all -F auid=1000
> > >
> > I have tried this, and execute program which call syscall number is -1,
> > audit still didn't record it. It supports that there's no need for audit
> > to handle syscall number less than 0.
> >
> > sh-4.2# auditctl -a exit,always
> > sh-4.2# auditctl -l
> > -a always,exit -S all
>
> If audit is not generating SYSCALL records, even for invalid/ENOSYS
> syscalls, I would consider that a bug which should be fixed.
>
If we fix this bug, do you think audit invalid/ENOSYS syscalls better
be forcible or be a rule that can be configure? I think configure is
better.
> --
> paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Paul Moore @ 2022-03-31 14:16 UTC (permalink / raw)
To: CGEL
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88,
rth
In-Reply-To: <6245121e.1c69fb81.ea0ab.0c2e@mx.google.com>
On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> >
> > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > syscalls, I would consider that a bug which should be fixed.
>
> If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> be forcible or be a rule that can be configure? I think configure is
> better.
It isn't clear to me exactly what you are asking, but I would expect
the existing audit syscall filtering mechanism to work regardless if
the syscall is valid or not. Beware that there are some limitations
to the audit syscall filter, which are unfortunately baked into the
current design/implementation, which may affect this to some extent.
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: CGEL @ 2022-04-01 1:57 UTC (permalink / raw)
To: Paul Moore
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88,
rth
In-Reply-To: <CAHC9VhTaCNqfTOi8X5G3AheBFzTYCzGnt_-=fNFc5Z1o8gPm9Q@mail.gmail.com>
On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > >
> > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > syscalls, I would consider that a bug which should be fixed.
> >
> > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > be forcible or be a rule that can be configure? I think configure is
> > better.
>
> It isn't clear to me exactly what you are asking, but I would expect
> the existing audit syscall filtering mechanism to work regardless if
> the syscall is valid or not.
Thanks, I try to make it more clear. We found that auditctl would only
set rule with syscall number (>=0 && <2047). So if userspace using
syscall whose number is (<0 || >=2047), there seems no meaning for
kernel audit to handle it, since this kind of syscall will never hit
any audit rule(this rule could not be set by auditctl).
By the way it's a little strange for auditctl(using libaudit.c) to limit
syscall number (>=0 && <2047)(see audit_rule_syscall_data()), especially
we know NR_syscalls is the real limit in kernel, you can see how other
kernel code to the similar thing in ftrace_syscall_enter():
static void ftrace_syscall_enter(void *data, struct pt_regs
*regs, long id)
{
...
syscall_nr = trace_get_syscall_nr(current, regs);
if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
return;
...
}
Thanks.
> Beware that there are some limitations
> to the audit syscall filter, which are unfortunately baked into the
> current design/implementation, which may affect this to some extent.
>
> --
> paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Steve Grubb @ 2022-04-01 13:39 UTC (permalink / raw)
To: Paul Moore, linux-audit, CGEL
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88
In-Reply-To: <62465bf3.1c69fb81.d5424.365e@mx.google.com>
On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > syscalls, I would consider that a bug which should be fixed.
> > >
> > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > be forcible or be a rule that can be configure? I think configure is
> > > better.
> >
> > It isn't clear to me exactly what you are asking, but I would expect
> > the existing audit syscall filtering mechanism to work regardless if
> > the syscall is valid or not.
>
> Thanks, I try to make it more clear. We found that auditctl would only
> set rule with syscall number (>=0 && <2047). So if userspace using
> syscall whose number is (<0 || >=2047), there seems no meaning for
> kernel audit to handle it, since this kind of syscall will never hit
> any audit rule(this rule could not be set by auditctl).
This limit is imposed by:
/usr/include/linux/audit.h
struct audit_rule_data {
...
__u32 mask[AUDIT_BITMASK_SIZE]; /* syscall(s) affected */
Where #define AUDIT_BITMASK_SIZE 64
So, 64 * 32 = 2048
-Steve
> By the way it's a little strange for auditctl(using libaudit.c) to limit
> syscall number (>=0 && <2047)(see audit_rule_syscall_data()), especially
> we know NR_syscalls is the real limit in kernel, you can see how other
> kernel code to the similar thing in ftrace_syscall_enter():
>
> static void ftrace_syscall_enter(void *data, struct pt_regs
> *regs, long id)
> {
> ...
> syscall_nr = trace_get_syscall_nr(current, regs);
> if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
> return;
> ...
> }
>
> Thanks.
>
> > Beware that there are some limitations
> > to the audit syscall filter, which are unfortunately baked into the
> > current design/implementation, which may affect this to some extent.
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Paul Moore @ 2022-04-01 14:16 UTC (permalink / raw)
To: Steve Grubb
Cc: kbuild-all, CGEL, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88
In-Reply-To: <2777189.mvXUDI8C0e@x2>
On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb <sgrubb@redhat.com> wrote:
>
> On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > > syscalls, I would consider that a bug which should be fixed.
> > > >
> > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > > be forcible or be a rule that can be configure? I think configure is
> > > > better.
> > >
> > > It isn't clear to me exactly what you are asking, but I would expect
> > > the existing audit syscall filtering mechanism to work regardless if
> > > the syscall is valid or not.
> >
> > Thanks, I try to make it more clear. We found that auditctl would only
> > set rule with syscall number (>=0 && <2047) ...
That is exactly why I wrote the warning below in my response ...
> > > Beware that there are some limitations
> > > to the audit syscall filter, which are unfortunately baked into the
> > > current design/implementation, which may affect this to some extent.
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Paul Moore @ 2022-04-02 15:07 UTC (permalink / raw)
To: CGEL
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88
In-Reply-To: <624803f7.1c69fb81.972da.2dd0@mx.google.com>
On Sat, Apr 2, 2022 at 4:06 AM CGEL <cgel.zte@gmail.com> wrote:
> On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote:
> > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > >
> > > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> > > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > > > > syscalls, I would consider that a bug which should be fixed.
> > > > > >
> > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > > > > be forcible or be a rule that can be configure? I think configure is
> > > > > > better.
> > > > >
> > > > > It isn't clear to me exactly what you are asking, but I would expect
> > > > > the existing audit syscall filtering mechanism to work regardless if
> > > > > the syscall is valid or not.
> > > >
> > > > Thanks, I try to make it more clear. We found that auditctl would only
> > > > set rule with syscall number (>=0 && <2047) ...
> >
> > That is exactly why I wrote the warning below in my response ...
> >
> I think the question is more clear now.
>
> 1) libaudit.c wants to forbid setting invalid syscall, but inconsistent
> Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and
> syscall with number 3000 are both invalid syscall. But 2000 can be set by
> auditctl, and 3000 cannot be set by auditctl.
> A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h).
>
> 2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall
> See this patch.
>
> If we want audit invalid syscall as you said before. libaudit.c should not
> do the forbidden, auditctl should allow setting syscall rule with 'any' number.
> So do you think we should fix libaudit.c?
I'm really not very clear on what you are proposing, but we can't
change the kernel/userspace API in any way which would break
compatibility with old/existing userspace tools.
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: CGEL @ 2022-04-02 8:06 UTC (permalink / raw)
To: Paul Moore
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88
In-Reply-To: <CAHC9VhRYHhHPx42BKa0gp974uzwHoXZWqmwt9o=1rox7tHyy1w@mail.gmail.com>
On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote:
> On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb <sgrubb@redhat.com> wrote:
> >
> > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > > > syscalls, I would consider that a bug which should be fixed.
> > > > >
> > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > > > be forcible or be a rule that can be configure? I think configure is
> > > > > better.
> > > >
> > > > It isn't clear to me exactly what you are asking, but I would expect
> > > > the existing audit syscall filtering mechanism to work regardless if
> > > > the syscall is valid or not.
> > >
> > > Thanks, I try to make it more clear. We found that auditctl would only
> > > set rule with syscall number (>=0 && <2047) ...
>
> That is exactly why I wrote the warning below in my response ...
>
I think the question is more clear now.
1) libaudit.c wants to forbid setting invalid syscall, but inconsistent
Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and
syscall with number 3000 are both invalid syscall. But 2000 can be set by
auditctl, and 3000 cannot be set by auditctl.
A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h).
2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall
See this patch.
If we want audit invalid syscall as you said before. libaudit.c should not
do the forbidden, auditctl should allow setting syscall rule with 'any' number.
So do you think we should fix libaudit.c?
> > > > Beware that there are some limitations
> > > > to the audit syscall filter, which are unfortunately baked into the
> > > > current design/implementation, which may affect this to some extent.
>
> --
> paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH v2] audit: do a quick exit when syscall number is less than 0
From: Paul Moore @ 2022-04-04 13:12 UTC (permalink / raw)
To: cgel.zte
Cc: Zeal Robot, linux-kernel, eparis, Yang Yang, linux-audit, ink,
mattst88, rth
In-Reply-To: <20220404022317.2449865-1-yang.yang29@zte.com.cn>
On Sun, Apr 3, 2022 at 10:23 PM <cgel.zte@gmail.com> wrote:
>
> From: Yang Yang <yang.yang29@zte.com.cn>
>
> Userspace may use syscall with syscall number less than 0 by calling
> syscall(syscall_num,..). This kind of syscall could never be audited,
> because auditctl requires rule with syscall number >=0. Therefore we
> better do a quick handle no need to gohead with this situation.
>
> Note that auditctl may set rules auditing invalid syscall with syscall
> number bigger than NR_syscalls, to keep this mechanism working, we do
> no more check(context->major bigger than NR_syscalls or not).
>
> Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
> Reported-by: Zeal Robot <zealci@zte.com.cn>
> ---
> v2:
> - cancel checking against NR_syscalls
> ---
> kernel/auditsc.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
As discussed previously, this is not something I want to merge
upstream at this time.
--
paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* [PATCH v2] audit: do a quick exit when syscall number is less than 0
From: cgel.zte @ 2022-04-04 2:23 UTC (permalink / raw)
To: paul, eparis, linux-audit, rth, sgrubb
Cc: Yang Yang, mattst88, Zeal Robot, ink, linux-kernel
[-- Attachment #1: Type: application/octet-stream, Size: 1244 bytes --]
From: Yang Yang <yang.yang29@zte.com.cn>
Userspace may use syscall with syscall number less than 0 by calling
syscall(syscall_num,..). This kind of syscall could never be audited,
because auditctl requires rule with syscall number >=0. Therefore we
better do a quick handle no need to gohead with this situation.
Note that auditctl may set rules auditing invalid syscall with syscall
number bigger than NR_syscalls, to keep this mechanism working, we do
no more check(context->major bigger than NR_syscalls or not).
Signed-off-by: Yang Yang <yang.yang29@zte.com.cn>
Reported-by: Zeal Robot <zealci@zte.com.cn>
---
v2:
- cancel checking against NR_syscalls
---
kernel/auditsc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ea2ee1181921..79118c811853 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2077,7 +2077,8 @@ void __audit_syscall_exit(int success, long return_code)
struct audit_context *context = audit_context();
if (!context || context->dummy ||
- context->context != AUDIT_CTX_SYSCALL)
+ context->context != AUDIT_CTX_SYSCALL ||
+ unlikely(context->major < 0))
goto out;
/* this may generate CONFIG_CHANGE records */
--
2.25.1
[-- Attachment #2: Type: text/plain, Size: 107 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply related
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Richard Guy Briggs @ 2022-04-04 15:58 UTC (permalink / raw)
To: CGEL
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88
In-Reply-To: <624803f7.1c69fb81.972da.2dd0@mx.google.com>
On 2022-04-02 08:06, CGEL wrote:
> On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote:
> > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> > > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > > > > syscalls, I would consider that a bug which should be fixed.
> > > > > >
> > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > > > > be forcible or be a rule that can be configure? I think configure is
> > > > > > better.
> > > > >
> > > > > It isn't clear to me exactly what you are asking, but I would expect
> > > > > the existing audit syscall filtering mechanism to work regardless if
> > > > > the syscall is valid or not.
> > > >
> > > > Thanks, I try to make it more clear. We found that auditctl would only
> > > > set rule with syscall number (>=0 && <2047) ...
> >
> > That is exactly why I wrote the warning below in my response ...
> >
> I think the question is more clear now.
>
> 1) libaudit.c wants to forbid setting invalid syscall, but inconsistent
> Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and
> syscall with number 3000 are both invalid syscall. But 2000 can be set by
> auditctl, and 3000 cannot be set by auditctl.
> A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h).
>
> 2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall
> See this patch.
>
> If we want audit invalid syscall as you said before. libaudit.c should not
> do the forbidden, auditctl should allow setting syscall rule with 'any' number.
> So do you think we should fix libaudit.c?
I'm having a bit of trouble understanding what you've said above.
The kernel ultimately must protect itself from malice and mistakes, so
it must verify all data sent to it.
Userspace can help by knowing what that kernel policy is so it can avoid
violating that policy or provide useful feedback if it can't. Userspace
can be used to make things more efficient, but the kernel is the last
step for security.
If userspace and the kernel are mismatched or out of sync, then the
kernel enforces policy to protect itself.
> > > > > Beware that there are some limitations
> > > > > to the audit syscall filter, which are unfortunately baked into the
> > > > > current design/implementation, which may affect this to some extent.
> >
> > --
> > paul-moore.com
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: CGEL @ 2022-04-06 1:19 UTC (permalink / raw)
To: Richard Guy Briggs
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88
In-Reply-To: <YksVuhfv8weLCxX/@madcap2.tricolour.ca>
On Mon, Apr 04, 2022 at 11:58:50AM -0400, Richard Guy Briggs wrote:
> On 2022-04-02 08:06, CGEL wrote:
> > On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote:
> > > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > > > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> > > > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > > > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > > > > > syscalls, I would consider that a bug which should be fixed.
> > > > > > >
> > > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > > > > > be forcible or be a rule that can be configure? I think configure is
> > > > > > > better.
> > > > > >
> > > > > > It isn't clear to me exactly what you are asking, but I would expect
> > > > > > the existing audit syscall filtering mechanism to work regardless if
> > > > > > the syscall is valid or not.
> > > > >
> > > > > Thanks, I try to make it more clear. We found that auditctl would only
> > > > > set rule with syscall number (>=0 && <2047) ...
> > >
> > > That is exactly why I wrote the warning below in my response ...
> > >
> > I think the question is more clear now.
> >
> > 1) libaudit.c wants to forbid setting invalid syscall, but inconsistent
> > Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and
> > syscall with number 3000 are both invalid syscall. But 2000 can be set by
> > auditctl, and 3000 cannot be set by auditctl.
> > A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h).
> >
> > 2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall
> > See this patch.
> >
> > If we want audit invalid syscall as you said before. libaudit.c should not
> > do the forbidden, auditctl should allow setting syscall rule with 'any' number.
> > So do you think we should fix libaudit.c?
>
> I'm having a bit of trouble understanding what you've said above.
>
> The kernel ultimately must protect itself from malice and mistakes, so
> it must verify all data sent to it.
>
> Userspace can help by knowing what that kernel policy is so it can avoid
> violating that policy or provide useful feedback if it can't. Userspace
> can be used to make things more efficient, but the kernel is the last
> step for security.
>
> If userspace and the kernel are mismatched or out of sync, then the
> kernel enforces policy to protect itself.
>
Much appreciate for your interpretation. Have you get any idea of how
to solve the mismatched? From your viewpoint, I think it's better for
kernel to not handle syscall of syscall number<0, because it's invaild
of all arch, and has no value for attacker to probing for specific
syscall numbers.
> > > > > > Beware that there are some limitations
> > > > > > to the audit syscall filter, which are unfortunately baked into the
> > > > > > current design/implementation, which may affect this to some extent.
> > >
> > > --
> > > paul-moore.com
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
* Re: [PATCH] audit: do a quick exit when syscall number is invalid
From: Richard Guy Briggs @ 2022-04-06 16:49 UTC (permalink / raw)
To: CGEL
Cc: kbuild-all, Zeal Robot, linux-kernel, eparis, dai.shixin,
Yang Yang, linux-audit, ink, huang.junhua, guo.xiaofeng, mattst88
In-Reply-To: <624cea8e.1c69fb81.422be.e03b@mx.google.com>
On 2022-04-06 01:19, CGEL wrote:
> On Mon, Apr 04, 2022 at 11:58:50AM -0400, Richard Guy Briggs wrote:
> > On 2022-04-02 08:06, CGEL wrote:
> > > On Fri, Apr 01, 2022 at 10:16:45AM -0400, Paul Moore wrote:
> > > > On Fri, Apr 1, 2022 at 9:39 AM Steve Grubb <sgrubb@redhat.com> wrote:
> > > > > On Thursday, March 31, 2022 9:57:05 PM EDT CGEL wrote:
> > > > > > On Thu, Mar 31, 2022 at 10:16:23AM -0400, Paul Moore wrote:
> > > > > > > On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@gmail.com> wrote:
> > > > > > > > On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> > > > > > > > > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > > > > > > > > syscalls, I would consider that a bug which should be fixed.
> > > > > > > >
> > > > > > > > If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> > > > > > > > be forcible or be a rule that can be configure? I think configure is
> > > > > > > > better.
> > > > > > >
> > > > > > > It isn't clear to me exactly what you are asking, but I would expect
> > > > > > > the existing audit syscall filtering mechanism to work regardless if
> > > > > > > the syscall is valid or not.
> > > > > >
> > > > > > Thanks, I try to make it more clear. We found that auditctl would only
> > > > > > set rule with syscall number (>=0 && <2047) ...
> > > >
> > > > That is exactly why I wrote the warning below in my response ...
> > > >
> > > I think the question is more clear now.
> > >
> > > 1) libaudit.c wants to forbid setting invalid syscall, but inconsistent
> > > Currently way(>=0 && <2047) is inconsistent, syscall with number 2000 and
> > > syscall with number 3000 are both invalid syscall. But 2000 can be set by
> > > auditctl, and 3000 cannot be set by auditctl.
> > > A better way to do this forbidden is to use __NR_syscalls(asm-generic/unistd.h).
> > >
> > > 2) if libaudit.c do the right forbidden, kernel better ignore invalid syscall
> > > See this patch.
> > >
> > > If we want audit invalid syscall as you said before. libaudit.c should not
> > > do the forbidden, auditctl should allow setting syscall rule with 'any' number.
> > > So do you think we should fix libaudit.c?
> >
> > I'm having a bit of trouble understanding what you've said above.
> >
> > The kernel ultimately must protect itself from malice and mistakes, so
> > it must verify all data sent to it.
> >
> > Userspace can help by knowing what that kernel policy is so it can avoid
> > violating that policy or provide useful feedback if it can't. Userspace
> > can be used to make things more efficient, but the kernel is the last
> > step for security.
> >
> > If userspace and the kernel are mismatched or out of sync, then the
> > kernel enforces policy to protect itself.
>
> Much appreciate for your interpretation. Have you get any idea of how
> to solve the mismatched? From your viewpoint, I think it's better for
> kernel to not handle syscall of syscall number<0, because it's invaild
> of all arch, and has no value for attacker to probing for specific
> syscall numbers.
Going back to the very first quoted line above, if you can generate a
test case that shows that audit is missing an auditable event, that is a
bug that should be fixed.
> > > > > > > to the audit syscall filter, which are unfortunately baked into the
> > > > > > > current design/implementation, which may affect this to some extent.
> > > >
> > > > --
> > > > paul-moore.com
> >
> > - RGB
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox