Re: [PATCH] audit: do a quick exit when syscall number is invalid

On Tue, Mar 29, 2022 at 09:11:19AM -0400, Paul Moore wrote: > On Mon, Mar 28, 2022 at 11:22 PM CGEL <cgel.zte(a)gmail.com&gt; wrote: > > On Mon, Mar 28, 2022 at 11:06:12PM -0400, Paul Moore wrote: > > > On Mon, Mar 28, 2022 at 9:48 PM CGEL <cgel.zte(a)gmail.com&gt; wrote: > > > > Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64. > > > > I have no alpha environment and not familiar to this arch, much thanks! > > > > > > Regardless of if this is fixed, I'm not convinced this is something we > > > want to merge. After all, a process executed a syscall and we should > > > process it like any other; just because it happens to be an > > > unrecognized syscall on a particular kernel build doesn't mean it > > > isn't security relevant (probing for specific syscall numbers may be a > > > useful attack fingerprint). > > > > Thanks for your reply. > > > > But syscall number less than 0 is even invalid for auditctl. So we > > will never hit this kind of audit rule. And invalid syscall number > > will always cause failure early in syscall handle. > > > > sh-4.2# auditctl -a always,exit -F arch=b64 -S -1 > > Syscall name unknown: -1 > > You can add an audit filter without explicitly specifying a syscall: > > % auditctl -a exit,always -F auid=1000 > % auditctl -l > -a always,exit -S all -F auid=1000 > I have tried this, and execute program which call syscall number is -1, audit still didn't record it. It supports that there's no need for audit to handle syscall number less than 0. sh-4.2# auditctl -a exit,always sh-4.2# auditctl -l -a always,exit -S all