fuzz testing lets kernel audit complains in the linkat syscall only

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* fuzz testing lets kernel audit complains in the linkat syscall only
@ 2013-05-20 20:34 Toralf Förster
  2013-05-20 21:03 ` Toralf Förster
  0 siblings, 1 reply; 2+ messages in thread
From: Toralf Förster @ 2013-05-20 20:34 UTC (permalink / raw)
  To: Linux Kernel

[-- Attachment #1: Type: text/plain, Size: 2183 bytes --]

While fuzz testing a 3.9.3 kernel I'm wonder why the kernel audit does complain
about a file in the syscall "unlinkat" - but audit does not complain when that file
was created/modified etc.

If this is intended - please press the delete button now.



Not ? Ok.

At a 32bit stable Gentoo linux with kernel 3.9.3 I got messages like:
kernel: type=1702 audit(1369079376.420:37): op=linkat action=denied pid=13536 comm="trinity-child1" path="/dev" dev="loop0" ino=8146

when I chrooted into a 32bit stable Gentoo Linux image and run a fuzz tester:
$> trinity -C 4 -m -x linkat

(4 childs, monochrome, excluded syscall "linkat" to test only those cases,
where linkat was not directly called by the fuzzer),

The appropriate log entry gives:
$> cat x
[13536] [35] unlinkat(dfd=390, pathname="
���T̫̺̳o̬̜ ì̬͎̲̟nv̖̗̻̣̹̕o͖̗̠̜̤k͍͚̹͖̼e̦̗̪͍̪͍ ̬ͅt̕h̠͙̮͕͓e̱̜̗͙̭ ̥͔̫͙̪͍̣͝ḥi̼̦͈̼v̩̟͚̞͎e͈̟̻͙̦̤-m̷̘̝̱í͚̞̦̳n̝̲̯̙̮͞d̴̺̦͕̫ ̗̭̘͎͖r̞͎̜̜͖͎̫͢ep͇r̝̯̝͖͉͎̺e̴s̥e̵̖̳͉͍̩̗n̢͓̪͕̜̰̠̦t̺̞̰i͟n̮̦̖̟g̮͍̱̻͍̜̳ ̳c̖̮̙̣̰̠̩h̷̗͍̖͙̭͇͈a̧͎̯̹̲̺̫ó̭̞̜̣̯͕s̶̤̮̩̘.̨̻̪̖͔  ̳̭̦̭̭̦̞́I̠͍̮n͇̹̪̬v̴͖̭̗̖o̸k̬̤͓͚̠͍i͜n̛̩̹͉̘̹g͙ ̠̥ͅt̰͖͞h̫̼̪e̟̩̝ ̭̠̲̫͔fe̤͇̝̱e͖̮̠̹̭͖͕l͖̲̘͖̠̪i̢̖͎̮̗̯͓̩n̸̰g̙̱̘̗͚̬ͅ ͍o͍͍̩̮͢f̖͓̦̥ ̘͘c̵̫̱̗͚͓̦h͝a̝͍͍̳̣͖͉o͙̟s̤̞.̙̝̭̣̳̼͟  ̢̻͖͓̬̞̰̦W̮̲̝̼̩̝͖i͖͖͡ͅt̘̯͘h̷̬̖̞̙̰̭̳ ̭̪̕o̥̤̺̝̼̰̯͟ṳ̞̭̤t̨͚̥̗ ̟̺̫̩̤̳̩o̟̰̩̖ͅr̞̘̫̩̼d̡͍̬͎̪̺͚͔e͓͖̝̙r̰͖̲̲̻̠.̺̝̺̟͈  ̣̭T̪̩̼h̥̫̪͔̀e̫̯͜ ̨N̟e͔̤zp̮̭͈̟é͉͈ṛ̹̜̺̭͕d̺̪̜͇͓i̞á͕̹

(the file "x" is attached, it contains the next log line of the next
trinity child too due to a missing new line).

FWIW the used Gentoo linux image is an user mode linux image.
I however just mounted it using the loop device, chrooted into it and
run the fuzzer instead of calling that image with a linux exe.

-- 
MfG/Sincerely
Toralf Förster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: x --]
[-- Type: text/plain; charset=UTF-8; name="x", Size: 1117 bytes --]

[13536] [35] unlinkat(dfd=390, pathname="
¿ìÃTÌ«ÌºÌ³oÌ¬Ìœ Ã¬Ì¬ÍŽÌ²ÌŸnvÌ–Ì—Ì»Ì£Ì¹Ì•oÍ–Ì—Ì ÌœÌ¤kÍÍšÌ¹Í–Ì¼eÌ¦Ì—ÌªÍÌªÍ Ì¬Í…tÌ•hÌ Í™Ì®Í•Í“eÌ±ÌœÌ—Í™Ì Ì¥Í”Ì«Í™ÌªÍÌ£Íá¸¥iÌ¼Ì¦ÍˆÌ¼vÒ‰Ì©ÌŸÍšÌžÍŽeÍˆÌŸÌ»Í™Ì¦Ì¤-mÌ·Ì˜ÌÌ±ÃÍšÌžÌ¦Ì³nÌÌ²Ì¯Ì™Ì®ÍždÌ´ÌºÌ¦Í•Ì« Ì—ÌÌ˜ÍŽÍ–rÌžÍŽÌœÌœÍ–ÍŽÌ«Í¢epÍ‡rÌÌ¯ÌÍ–Í‰ÍŽÌºeÌ´sÌ¥eÌµÌ–Ì³Í‰ÍÌ©Ì—nÌ¢Í“ÌªÍ•ÌœÌ°Ì Ì¦tÌºÌžÌ°iÍŸnÒ‰Ì®Ì¦Ì–ÌŸgÌ®ÍÌ±Ì»ÍÌœÌ³ Ì³cÌ–Ì®Ì™Ì£Ì°Ì Ì©hÌ·Ì—ÍÌ–Í™ÌÍ‡ÍˆaÌ§ÍŽÌ¯Ì¹Ì²ÌºÌ«Ã³ÌÌžÌœÌ£Ì¯Í•sÌ¶Ì¤Ì®Ì©Ì˜.Ì¨Ì»ÌªÌ–Í”  Ì³ÌÌ¦ÌÌÌ¦ÌžÌIÌ ÍÌ®nÍ‡Ì¹ÌªÌ¬vÌ´Í–ÌÌ—Ì–oÌ¸kÒ‰Ì¬Ì¤Í“ÍšÌ ÍiÍœnÌ›Ì©Ì¹Í‰Ì˜Ì¹gÍ™ Ì Ì¥Í…tÌ°Í–ÍžhÌ«Ì¼ÌªeÌŸÌ©Ì ÌÌ Ì²Ì«Í”feÌ¤Í‡ÌÌ±eÍ–Ì®Ì Ì¹ÌÍ–Í•lÍ–Ì²Ì˜Í–Ì ÌªiÌ¢Ì–ÍŽÌ®Ì—Ì¯Í“Ì©nÌ¸Ì°gÌ™Ì±Ì˜Ì—ÍšÌ¬Í… ÍoÍÍÌ©Ì®Í¢fÌ–Í“Ì¦Ì¥ Ì˜Í˜cÌµÌ«Ì±Ì—ÍšÍ“Ì¦hÍaÌÍÍÌ³Ì£Í–Í‰oÍ™ÌŸsÌ¤Ìž.Ì™ÌÌÌ£Ì³Ì¼ÍŸ  Ì¢Ì»Í–Í“Ì¬ÌžÌ°Ì¦WÌ®Ì²ÌÌ¼Ì©ÌÍ–iÍ–Í–Í¡Í…tÌ˜Ì¯Í˜hÌ·Ì¬Ì–ÌžÌ™Ì°ÌÌ³ ÌÌªÌ•oÌ¥Ì¤ÌºÌÌ¼Ì°Ì¯ÍŸá¹³ÌžÌÌ¤tÌ¨ÍšÌ¥Ì— ÌŸÌºÌ«Ì©Ì¤Ì³Ì©oÌŸÌ°Ì©Ì–Í…rÌžÌ˜Ì«Ì©Ì¼dÌ¡ÍÌ¬ÍŽÌªÌºÍšÍ”eÍ“Í–ÌÌ™rÌ°Í–Ì²Ì²Ì»Ì .ÌºÌÌºÌŸÍˆ  Ì£ÌTÌªÌ©Ì¼hÌ¥Ì«ÌªÍ”Ì€eÌ«Ì¯Íœ Ì¨NÌŸeÒ‰Í”Ì¤zpÌ®ÌÍˆÌŸÃ©Í‰Íˆá¹›Ì¹ÌœÌºÌÍ•dÌºÌªÌœÍ‡Í“iÌžÃ¡Í•Ì¹[13537] [0] setgroups16(gidsetsize=0x61dc2fe3, grouplist=4097) = -1 (Operation not permitted)

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: fuzz testing lets kernel audit complains in the linkat syscall only
  2013-05-20 20:34 fuzz testing lets kernel audit complains in the linkat syscall only Toralf Förster
@ 2013-05-20 21:03 ` Toralf Förster
  0 siblings, 0 replies; 2+ messages in thread
From: Toralf Förster @ 2013-05-20 21:03 UTC (permalink / raw)
  To: Linux Kernel

On 05/20/2013 10:34 PM, Toralf Förster wrote:
> While fuzz testing a 3.9.3 kernel I'm wonder why the kernel audit does complain
> about a file in the syscall "unlinkat" - but audit does not complain when that file
> was created/modified etc.

sry - forget that mail, symlinkat and readlinkat give now audit logs too.


-- 
MfG/Sincerely
Toralf Förster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-05-20 21:03 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-20 20:34 fuzz testing lets kernel audit complains in the linkat syscall only Toralf Förster
2013-05-20 21:03 ` Toralf Förster

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox