Bug 221663 - LSPP: The auidt record for some ipc system calls add 0x100 to the cmd argument audited.
LSPP: The auidt record for some ipc system calls add 0x100 to the cmd argumen...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
s390x Linux
medium Severity medium
: ---
: ---
Assigned To: Jan Glauber
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-05 17:24 EST by Kylene J Hall
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-01-10 10:51:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kylene J Hall 2007-01-05 17:24:24 EST
Description of problem:
The auidt record for some ipc system calls add 0x100 to the last argument
audited.  Specifically calls to semctl and msgctl demonstrate this.
Examples: 

semctl(id, 0, IPC_RMID);
Expected argument: a0 = SEMCTL, a1 = id, a2 = 0, a3 = 0 (IPC_RMID)
Actual arguments seen in the audit log: a0 = SEMCTL, a1 = id, a2 = 0, a3 = 0x100

msgctl(id, IPC_STAT, &buf)
Expected argument: a0 = MSGCTL, a1 = id, a2 = 2 (IPC_STAT)
Actual arguments seen in the audit log: a0 = MSGCTL, a1 = id, a2 = 0x102


Version-Release number of selected component (if applicable):
audit-1.3.1-1.el5

How reproducible:
always

Steps to Reproduce:
1. Setup auditing to audit the ipc system call
2. Perform a semctl or msgctl as described above
3. Look at the audit log.
  
Actual results:
See the a3 argument for semctl or a2 argument for msgctl is actually equal to
the value input + 0x100

Expected results:
See the a3 argument for semctl or a2 argument for msgctl be equal to the value
input (such as IPC_RMID or IPC_STAT)

Additional info:
Comment 2 Eric Paris 2007-01-09 11:46:24 EST
/*
 * Version flags for semctl, msgctl, and shmctl commands
 * These are passed as bitflags or-ed with the actual command
 */
#define IPC_OLD 0       /* Old version (no 32-bit UID support on many
                           architectures) */
#define IPC_64  0x0100  /* New version (support 32-bit UIDs, bigger
                           message sizes, etc. */

Looks like userspace will or the value with IPC_64 to indicate the version it
supports.  I believe for all arches we deal with it will happen for everything.
 I think this just needs to be documented in the same place as the last similar
auditing "discrepency"
Comment 3 Jay Turner 2007-01-10 10:10:14 EST
QE ack for RHEL5 . . . granted, it's after the patch submission deadline as well
as the RC kernel freeze, so not sure what this does to us, but appears this
change is necessary for LSPP.
Comment 4 Eric Paris 2007-01-10 10:51:03 EST
I'm closing this as 'not a bug'  the |= 0x100 you see in the result is simply
userspace telling the kernel the version it supports.  I would suggest that all
automated audit tests simply &= ~0x100 (or something along those lines) before
checking the result.  This is not a bug and is working as intended.

Note You need to log in before you can comment on or make changes to this bug.