Re: [RFC][PATCH] (#6) filesystem auditing
On Tuesday 15 March 2005 12:11 pm, Stephen Smalley wrote:
On Tue, 2005-03-15 at 11:51 -0600, Timothy R. Chavez wrote:
> Hmmm,
>
> I'm getting this now too:
>
> ./auditctl -w /audit/foo
>
> Error sending netlink packet (Connection refused)
Hmmm...that isn't what I get. With a patched 2.6.11 kernel and 0.6.7
auditctl, I see:
# ./auditctl -w /etc/shadow
Error sending netlink packet (Invalid argument)
Error sending rule to kernel
# ./auditctl -e 1
AUDIT_STATUS: enabled=1 flag=1 pid=0 rate_limit=0 backlog_limit=64
lost=0 backlog=0
I added printks to the kernel audit code, and I see them when I do the
auditctl -e, but not when I try the auditctl -w, so it seems like it
isn't even reaching audit_receive(), i.e. malformed netlink packet?
Yeah,
Haha. I forgot I compiled my kernel without audit enabled / audit syscall
enabled, to make sure it compiled.. so :) I'm just dumb and I'm not sure
there's a patch available to correct that.
Anyway, Invalid argument, hmmm. If it's not dying at audit_netlink_ok()
(which will return back an err = -EINVAL), then you should be getting to
audit_receive_watch() -- if you print out the values of
audit_watch->name/filterkey/path from audit_insert_watch, that might clue us
in. I have a feeling that someone how the memset(&watch, 0, sizeof(watch))
that was once in reset_vars() (in auditctl.c) has escaped some how and your
passing in a perm equal to some rediculous value (bigger then 15) because it
was not intialized to 0. Perhaps?
-tim