Re: test patch for auditctl inter-field comparisons on euid/uid, egid/gid
On Sunday, December 11, 2011 02:09:27 PM Peter Moody wrote:
This patch extends Eric's test patch from 11/17 (
http://www.redhat.com/archives/linux-audit/2011-November/msg00045.html).
This turns -C into a long opt with similar syntax to -F.
Thanks.
One strange thing related to this patch: auditd seems to be
reporting
success for a normal user process (gklrellm) opening /proc/meminfo (mode
444) O_RDWR, and I don't see how this is possible. eg:
type=SYSCALL msg=audit(1323540255.146:97): arch=c000003e syscall=2
success=yes exit=13 a0=4b1972 a1=0 a2=1b6 a3=0 items=1 ppid=1704 pid=1797
auid=11532 uid=11532 gid=5000 euid=11532 suid=11532 fsuid=11532 egid=5000
sgid=5000 fsgid=5000 tty=(none) ses=1 comm="gkrellm"
exe="/usr/bin/gkrellm"
key="permissive"
type=CWD msg=audit(1323540255.146:97): cwd="/home/pmoody"
type=PATH msg=audit(1323540255.146:97): item=0 name="/proc/meminfo" inode=
4026532008 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
hopefully someone with more auditd internal knowledge can explain what's
going on.
Simple, int open(const char *pathname, int flags, mode_t mode);
So, we want to look at a1's contents. Its a zero. So, let's look that up in
/usr/include/asm-generic/fcntl.h:
#define O_RDONLY 00000000
#define O_WRONLY 00000001
#define O_RDWR 00000002
So, it would appear open is called with O_RDONLY, which is allowed by the
permissions 0444.
auditctl -l doesn't know how to report this yet; if this patch is
generally
acceptable, I can try to fix that and update the manpage, etc.
Yes, auditctl -l will have to be updated. If you want to do that, it would be
helpful. Also, see the comments on the other patch in case it affects this one.
-Steve