open_by_handle_at and CVE-2020-35501
sgrubb at redhat.com
Thu Feb 25 22:14:38 UTC 2021
There was an announcement on the oss-security mail list a week ago:
regarding auditing of the open_by_handle_at system call. They are using a
rule like this:
-a always,exit -F path=/path/to/file -F perm=wr
and expecting that we have an audit record when opened using the
name_to_handle_at/open_by_handle_at syscall pair.
I run a study of my system by adding audit rules for each of the syscalls.
What I found was that the name_to_handle_at seems to be used by systemd and
it only passes a relative file name. This makes the audit event next to
And interestingly I have no events for open_by_handle_at in spite of systemd
preparing to use it. So, I don't have any idea what the audit event would
In any event, they are asking what upstream audit is going to do about this?
In looking into open_by_handle_at, I found that it was used in an exploit
against docker some time ago where it was possible to bruteforce the handle.
Of cource you need CAP_DAC_READ_SEARCH to call it.
I think we should do something, not sure what. Simply adding the syscall to
the open perms machinery will get an event, but probably nothing usable. You
could at least see who is doing it and with what program.
In the meantime, people can use the syscall rules to audit for any occurance.
I think the default rules do include it.
More information about the Linux-audit