audit-kernel icon indicating copy to clipboard operation
audit-kernel copied to clipboard
verified publisher icon linux-audit

BUG: kernel header updates needed for 'auditctl -F perm' usage

Open stevegrubb opened this issue 8 years ago • 7 comments

The files at include/asm-generic/audit_*.h have syscalls used to trigger watches for various syscalls without having to know the exact syscall. It appears that the the last time it was updated was for the fchmodat syscall which in arch/x86/entry/syscalls/syscall_64.tbl is syscall #268. The kernel currently has 332 syscalls. So, I think we need to review 269 -> 332 and update the headers.

stevegrubb avatar Sep 08 '17 15:09 stevegrubb

A patch adding fallocate and renameat2 was sent to mail list: https://www.redhat.com/archives/linux-audit/2017-October/msg00048.html

More review is needed for other syscalls. For example, do we consider time stamp of a file one of its attributes? If so, then utimensat may need to be brought in. I also have no idea what to make of name_to_handle_at and open_by_handle_at. That almost looks like a deconstructed open.

stevegrubb avatar Oct 18 '17 14:10 stevegrubb

A patch adding fallocate and renameat2 was sent to mail list: https://www.redhat.com/archives/linux-audit/2017-October/msg00048.html

... and it was merged via c372801813f5a52fc3cea869751116d20765e1dd.

pcmoore avatar Oct 18 '17 15:10 pcmoore

@stevegrubb I know we talked about this a while ago, but I forgot the end result of the discussion ... Above you mention needing to review a range of syscalls, and you followed up with a patch to add two; does that mean you have reviewed everything and these were the only two? Or does it mean these were two that you found quickly, and a proper review is still needed?

Basically I'm asking if we are done here or not.

pcmoore avatar Jan 28 '18 14:01 pcmoore

We are not finished. I picked a couple obvious ones. A more detailed look needs to be done.

stevegrubb avatar Feb 02 '18 16:02 stevegrubb

Okay, leaving it open.

pcmoore avatar Feb 02 '18 18:02 pcmoore

2021-03-17 post openat2 v1 https://listman.redhat.com/archives/linux-audit/2021-March/msg00095.html userspace https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 testsuite https://github.com/linux-audit/audit-testsuite/pull/103

2021-04-30 post openat2 v2 https://listman.redhat.com/archives/linux-audit/2021-April/msg00044.html - add audit syscall class macros in new file include/linux/auditscm.h

2021-04-30 post opeanat2 v3 https://listman.redhat.com/archives/linux-audit/2021-April/msg00049.html - re-add commit descriptions and add MAINTAINERS entry

rgbriggs avatar May 03 '21 18:05 rgbriggs

2021-10-04: merged into audit/next on v5.15-rc1 571e5c0efcb2 audit: add OPENAT2 record to list "how" info 1c30e3af8a79 audit: add support for the openat2 syscall 42f355ef59a2 audit: replace magic audit syscall class numbers with macros

rgbriggs avatar Oct 18 '21 20:10 rgbriggs