lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <127406715.ZrfKfg88o4@x2>
Date:	Thu, 29 May 2014 09:05:12 -0400
From:	Steve Grubb <sgrubb@...hat.com>
To:	linux-audit@...hat.com
Cc:	Andy Lutomirski <luto@...capital.net>,
	Eric Paris <eparis@...hat.com>,
	"H. J. Lu" <hjl.tools@...il.com>,
	"security@...nel.org" <security@...nel.org>,
	Philipp Kern <pkern@...gle.com>,
	Greg Kroah-Hartman <greg@...ah.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"H. Peter Anvin" <hpa@...ux.intel.com>
Subject: Re: [PATCH v2 2/2] audit: Mark CONFIG_AUDITSYSCALL BROKEN and update help text

On Wednesday, May 28, 2014 07:40:57 PM Andy Lutomirski wrote:
> >>  - It assumes that syscall numbers are between 0 and 2048.
> >>
> > There could well be a bug here.  Not questioning that.  Although that
> > would be patch 1/2
> 
> Even with patch 1, it still doesn't handle large syscall numbers -- it
> just assumes they're not audited.

All syscalls must be auditable. Meaning that if an arch goes above 2048, then 
we'll need to do some math to get it to fall back within the range.


> >>  - It's unclear whether it's supposed to be reliable.
> >>
> > Unclear to whom?
> 
> To me.
> 
> If some inode access or selinux rule triggers an audit, is the auditsc
> code guaranteed to write an exit record?  And see below...

It should or indicate that it could not.

-Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ