Re: Audit not recording the correct syscall return value in Fedora 10?
On Tuesday 07 April 2009 10:44:09 pm Klaus Heinrich Kiwi wrote:
On Tue, 2009-04-07 at 11:34 -0400, Paul Moore wrote:
> Does anyone have any thoughts?
I remember debugging an issue with the incorrect return value being
audited for a syscall. It was s390[x] specific and only occurred with
successful execve() syscalls. This behavior was pointed out with the
open-source common-criteria testsuite that checked each
security-relevant syscalls for parameters, return values, args etc..
I didn't give much important to those since execve() return value is
really not that important if the call succeeds ;-)
But now I'm curious to what other problems related to syscalls return
values you've found, and how those weren't caught by the same set of
tests (hmm, maybe they are x86-specific?)
Well, I'm not certain about the exact root cause (I was hoping others with
more audit experience would be able to take a look) but I do know that my
fix/workaround was arch specific. My hunch is that the problem does lie in
the arch specific code but it may be that the same problem exists on multiple
architectures.
Can you give us some examples?
Of the tests? Sure, I used the audit-test suite which can be found on
SourceForge, the tests that trigger the error on my test system are the
sendto() and sendmsg() syscall tests which are run as part of the network
tests.
http://sourceforge.net/project/showfiles.php?group_id=167060
http://audit-test.svn.sforge.net/viewvc/audit-
test/trunk/tests/audit/utils/bin/do_sendto.c?revision=2019&view=markup
http://audit-test.svn.sourceforge.net/viewvc/audit-
test/trunk/tests/audit/utils/bin/do_sendmsg.c?view=markup
--
paul moore
linux @ hp