Audit not recording the correct syscall return value in Fedora 10?
Paul Moore
paul.moore at hp.com
Wed Apr 8 21:38:42 UTC 2009
On Tuesday 07 April 2009 10:44:09 pm Klaus Heinrich Kiwi wrote:
> On Tue, 2009-04-07 at 11:34 -0400, Paul Moore wrote:
> > Does anyone have any thoughts?
>
> I remember debugging an issue with the incorrect return value being
> audited for a syscall. It was s390[x] specific and only occurred with
> successful execve() syscalls. This behavior was pointed out with the
> open-source common-criteria testsuite that checked each
> security-relevant syscalls for parameters, return values, args etc..
>
> I didn't give much important to those since execve() return value is
> really not that important if the call succeeds ;-)
>
> But now I'm curious to what other problems related to syscalls return
> values you've found, and how those weren't caught by the same set of
> tests (hmm, maybe they are x86-specific?)
Well, I'm not certain about the exact root cause (I was hoping others with
more audit experience would be able to take a look) but I do know that my
fix/workaround was arch specific. My hunch is that the problem does lie in
the arch specific code but it may be that the same problem exists on multiple
architectures.
> Can you give us some examples?
Of the tests? Sure, I used the audit-test suite which can be found on
SourceForge, the tests that trigger the error on my test system are the
sendto() and sendmsg() syscall tests which are run as part of the network
tests.
http://sourceforge.net/project/showfiles.php?group_id=167060
http://audit-test.svn.sforge.net/viewvc/audit-
test/trunk/tests/audit/utils/bin/do_sendto.c?revision=2019&view=markup
http://audit-test.svn.sourceforge.net/viewvc/audit-
test/trunk/tests/audit/utils/bin/do_sendmsg.c?view=markup
--
paul moore
linux @ hp
More information about the Linux-audit
mailing list