Bug 239887
| Summary: | LSPP: watches using -p omit some syscalls | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Linda Knippers <linda.knippers> | ||||
| Component: | kernel | Assignee: | Eric Paris <eparis> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Martin Jenner <mjenner> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 5.0 | CC: | amy.griffis, eparis, iboverma, krisw, kweidner, poelstra, sgrubb | ||||
| Target Milestone: | --- | Keywords: | OtherQA | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | RHBA-2007-0959 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2007-11-07 19:49:14 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 224041 | ||||||
| Attachments: |
|
||||||
|
Description
Linda Knippers
2007-05-11 21:52:00 UTC
Created attachment 154573 [details]
proposed patch for syscall match check
The check is wrong, AUDIT_BITMASK_SIZE is 64, providing space for 2048 syscalls
in 64 * 32bit integers. The comparison only supports 256 syscalls, and silently
returns "no match" for valid higher-numbered syscalls.
This breaks class-based audit for all syscalls on ia64 since on that
architecture syscall numbers start at 1024.
It breaks some syscall audit on other architectures also, for example
__NR_fchmodat is 306 on x86.
I'd suggest adding a printk() in addition to returning 0 - you don't want to
silently ignore unknown or unsupported syscalls when auditing.
I gave Klaus's patch a quick test on ia64 and it solves the problem I was seeing. Thanks Klaus! The patch should be sent to linux-audit mail list for review and pushing upstream. Patch posted to linux-audit mailing list: https://www.redhat.com/archives/linux-audit/2007-May/msg00029.html https://www.redhat.com/archives/linux-audit/2007-May/msg00030.html This request was evaluated by Red Hat Kernel Team for inclusion in a Red Hat Enterprise Linux maintenance release, and has moved to bugzilla status POST. in 2.6.18-27.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 A fix for this issue has been included in the packages contained in the beta (RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1. Please verify that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED. This problem appears to be fixed in the RHEL5 U1 Beta. In verifying the fix I noticed that ausearch is getting a segfault on my system. If I don't find an existing bz I'll open a new one for that. Linda, audit packages before 1.5.5-5 are known to segfault on acct fields and there is already a bz for that. Please check that you are testing with snap 1 audit package 1.5.5-5. Thanks. Steve, thanks for the info. I'm running 1.5.5-4 so I'll try later on a snap1 system. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0959.html |