Re: test patch for auditctl inter-field comparisons on euid/uid, egid/gid

On Sunday, December 11, 2011 02:09:27 PM Peter Moody wrote: > This patch extends Eric's test patch from 11/17 ( > http://www.redhat.com/archives/linux-audit/2011-November/msg00045.html). > This turns -C into a long opt with similar syntax to -F. Thanks. > One strange thing related to this patch: auditd seems to be reporting > success for a normal user process (gklrellm) opening /proc/meminfo (mode > 444) O_RDWR, and I don't see how this is possible. eg: > > type=SYSCALL msg=audit(1323540255.146:97): arch=c000003e syscall=2 > success=yes exit=13 a0=4b1972 a1=0 a2=1b6 a3=0 items=1 ppid=1704 pid=1797 > auid=11532 uid=11532 gid=5000 euid=11532 suid=11532 fsuid=11532 egid=5000 > sgid=5000 fsgid=5000 tty=(none) ses=1 comm="gkrellm" exe="/usr/bin/gkrellm" > key="permissive" > type=CWD msg=audit(1323540255.146:97): cwd="/home/pmoody" > type=PATH msg=audit(1323540255.146:97): item=0 name="/proc/meminfo" inode= > 4026532008 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 > > hopefully someone with more auditd internal knowledge can explain what's > going on. Simple, int open(const char *pathname, int flags, mode_t mode); So, we want to look at a1's contents.

Its a zero. So, let's look that up in /usr/include/asm-generic/fcntl.h: #define O_RDONLY 00000000 #define O_WRONLY 00000001 #define O_RDWR 00000002 So, it would appear open is called with O_RDONLY, which is allowed by the permissions 0444. > auditctl -l doesn't know how to report this yet; if this patch is generally > acceptable, I can try to fix that and update the manpage, etc. Yes, auditctl -l will have to be updated. If you want to do that, it would be helpful. Also, see the comments on the other patch in case it affects this one.

-Steve