syscall filtering on personality
Steve Grubb
sgrubb at redhat.com
Thu Mar 3 00:46:01 UTC 2005
On Wednesday 02 March 2005 12:20, Debora Velarde wrote:
> Here is a sample test to syscall filtering on personality:
Not sure what is going on. I think this is an area that Chris or David can
help us with. I never got your program to work. I never got anything to
trigger on chmod for that matter. So, I modified your program to use "open"
since I know that one produced data.
When I set pers=0 - the Linux default, I never got a hit. But, if I changed
the pers to 8 and set 8 for the personality in the program I got data:
Mar 2 19:35:59 localhost kernel: audit(1109810159.968:6933803): syscall=5
per=8 exit=3 a0=80485e1 a1=0 a2=bfe26ef8 a3=bfe26f9c items=1 pid=3518
loginuid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
Mar 2 19:35:59 localhost kernel: audit(1109810159.968:6933803): item=0
name=/tmp/pers32_check inode=21 dev=03:08 mode=0100644 uid=0 gid=0 rdev=00:00
This is what the program looks like:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <sys/personality.h>
int main()
{
/* touch temp file */
system("rm -f /tmp/pers32_check");
system("touch /tmp/pers32_check");
/* setup filtering rule */
system("/sbin/auditctl -D");
system("/sbin/auditctl -a entry,always -S open -F pers=0x08");
/* execute open syscall */
personality(0x08);
open("/tmp/pers32_check", O_RDONLY);
printf("Personality: %ld\n", personality(0xffffffff));
return 0;
}
-Steve
More information about the Linux-audit
mailing list