| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1401332086.13555.45.camel@localhost> Date: Wed, 28 May 2014 22:54:46 -0400 From: Eric Paris <eparis@...hat.com> To: Andy Lutomirski <luto@...capital.net> Cc: Philipp Kern <pkern@...gle.com>, "H. Peter Anvin" <hpa@...ux.intel.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "H. J. Lu" <hjl.tools@...il.com>, "security@...nel.org" <security@...nel.org>, Greg Kroah-Hartman <greg@...ah.com>, linux-audit@...hat.com Subject: Re: [PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text On Wed, 2014-05-28 at 19:40 -0700, Andy Lutomirski wrote: > On Wed, May 28, 2014 at 7:09 PM, Eric Paris <eparis@...hat.com> wrote: > > NAK > > > > On Wed, 2014-05-28 at 18:44 -0700, Andy Lutomirski wrote: > >> Here are some issues with the code: > >> - It thinks that syscalls have four arguments. > > > > Not true at all. It records the registers that would hold the first 4 > > entries on syscall entry, for use later if needed, as getting those > > later on some arches is not feasible (see ia64). It makes no assumption > > about how many syscalls a function has. > > What about a5 and a6? On the couple of syscalls where a5 and a6 had any state that was actually wanted by someone (mainly just the fd on mmap) audit collects it later in the actual syscall. > >> - It assumes that syscall numbers are between 0 and 2048. > > > > There could well be a bug here. Not questioning that. Although that > > would be patch 1/2 > > Even with patch 1, it still doesn't handle large syscall numbers -- it > just assumes they're not audited. That's because we haven't had large syscall numbers. That's the whole point of an arch doing select HAVE_ARCH_AUDITSYSCALL. If they don't meet the requirements, they shouldn't be selecting it.... > >> - It's unclear whether it's supposed to be reliable. > > > > Unclear to whom? > > To me. > > If some inode access or selinux rule triggers an audit, is the auditsc > code guaranteed to write an exit record? And see below... This is an honest question: Do you want to discuss these things, or would you be happier if I shut up, fix the bugs you found, and leave things be? I don't want to have an argument, I'm happy to have a discussion if you think that will be beneficial... -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists