From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Andy Lutomirski <luto@amacapital.net>,
Eric Paris <eparis@redhat.com>, "H. J. Lu" <hjl.tools@gmail.com>,
"security@kernel.org" <security@kernel.org>,
Philipp Kern <pkern@google.com>,
Greg Kroah-Hartman <greg@kroah.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"H. Peter Anvin" <hpa@linux.intel.com>
Subject: Re: [PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text
Date: Thu, 29 May 2014 09:05:12 -0400 [thread overview]
Message-ID: <127406715.ZrfKfg88o4@x2> (raw)
In-Reply-To: <CALCETrWr+_fo=q+LBT-WLJGXLWK6vEeFa=KC=LSMYehi=c-r4A@mail.gmail.com>
On Wednesday, May 28, 2014 07:40:57 PM Andy Lutomirski wrote:
> >> - It assumes that syscall numbers are between 0 and 2048.
> >>
> > There could well be a bug here. Not questioning that. Although that
> > would be patch 1/2
>
> Even with patch 1, it still doesn't handle large syscall numbers -- it
> just assumes they're not audited.
All syscalls must be auditable. Meaning that if an arch goes above 2048, then
we'll need to do some math to get it to fall back within the range.
> >> - It's unclear whether it's supposed to be reliable.
> >>
> > Unclear to whom?
>
> To me.
>
> If some inode access or selinux rule triggers an audit, is the auditsc
> code guaranteed to write an exit record? And see below...
It should or indicate that it could not.
-Steve
next prev parent reply other threads:[~2014-05-29 13:05 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-29 1:43 [PATCH v2 0/2] Fix auditsc DoS and mark it BROKEN Andy Lutomirski
2014-05-29 1:44 ` [PATCH v2 1/2] auditsc: audit_krule mask accesses need bounds checking Andy Lutomirski
2014-05-29 2:23 ` Eric Paris
2014-05-29 2:27 ` Andy Lutomirski
2014-05-29 2:43 ` Eric Paris
2014-05-29 2:46 ` Andy Lutomirski
2014-05-29 1:44 ` [PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text Andy Lutomirski
2014-05-29 2:09 ` Eric Paris
2014-05-29 2:40 ` Andy Lutomirski
2014-05-29 2:54 ` Eric Paris
2014-05-29 3:01 ` Andy Lutomirski
2014-05-29 13:05 ` Steve Grubb [this message]
2014-05-29 16:04 ` Andy Lutomirski
2014-05-29 16:25 ` Steve Grubb
2014-05-29 16:46 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=127406715.ZrfKfg88o4@x2 \
--to=sgrubb@redhat.com \
--cc=eparis@redhat.com \
--cc=greg@kroah.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@linux.intel.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=pkern@google.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox