From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757385AbaE2NFW (ORCPT ); Thu, 29 May 2014 09:05:22 -0400 Received: from mx1.redhat.com ([209.132.183.28]:32589 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757048AbaE2NFU (ORCPT ); Thu, 29 May 2014 09:05:20 -0400 From: Steve Grubb To: linux-audit@redhat.com Cc: Andy Lutomirski , Eric Paris , "H. J. Lu" , "security@kernel.org" , Philipp Kern , Greg Kroah-Hartman , "linux-kernel@vger.kernel.org" , "H. Peter Anvin" Subject: Re: [PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text Date: Thu, 29 May 2014 09:05:12 -0400 Message-ID: <127406715.ZrfKfg88o4@x2> Organization: Red Hat User-Agent: KMail/4.12.5 (Linux/3.14.4-200.fc20.x86_64; KDE/4.12.5; x86_64; ; ) In-Reply-To: References: <1401329367.13555.25.camel@localhost> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wednesday, May 28, 2014 07:40:57 PM Andy Lutomirski wrote: > >> - It assumes that syscall numbers are between 0 and 2048. > >> > > There could well be a bug here. Not questioning that. Although that > > would be patch 1/2 > > Even with patch 1, it still doesn't handle large syscall numbers -- it > just assumes they're not audited. All syscalls must be auditable. Meaning that if an arch goes above 2048, then we'll need to do some math to get it to fall back within the range. > >> - It's unclear whether it's supposed to be reliable. > >> > > Unclear to whom? > > To me. > > If some inode access or selinux rule triggers an audit, is the auditsc > code guaranteed to write an exit record? And see below... It should or indicate that it could not. -Steve