Re: syscall filtering on personality

On Wednesday 02 March 2005 12:20, Debora Velarde wrote: Not sure what is going on. I think this is an area that Chris or David can help us with. I never got your program to work. I never got anything to trigger on chmod for that matter. So, I modified your program to use "open" since I know that one produced data. When I set pers=0 - the Linux default, I never got a hit. But, if I changed the pers to 8 and set 8 for the personality in the program I got data: Mar 2 19:35:59 localhost kernel: audit(1109810159.968:6933803): syscall=5 per=8 exit=3 a0=80485e1 a1=0 a2=bfe26ef8 a3=bfe26f9c items=1 pid=3518 loginuid=4325 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 Mar 2 19:35:59 localhost kernel: audit(1109810159.968:6933803): item=0 name=/tmp/pers32_check inode=21 dev=03:08 mode=0100644 uid=0 gid=0 rdev=00:00 This is what the program looks like: #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/fcntl.h> #include <sys/personality.h> int main() { /* touch temp file */ system("rm -f /tmp/pers32_check"); system("touch /tmp/pers32_check"); /* setup filtering rule */ system("/sbin/auditctl -D"); system("/sbin/auditctl -a entry,always -S open -F pers=0x08"); /* execute open syscall */ personality(0x08); open("/tmp/pers32_check", O_RDONLY); printf("Personality: %ld\n", personality(0xffffffff)); return 0; } -Steve