lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 31 Mar 2022 10:16:23 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     CGEL <cgel.zte@...il.com>
Cc:     rth@...ddle.net, ink@...assic.park.msu.ru, mattst88@...il.com,
        eparis@...hat.com, linux-audit@...hat.com, kbuild-all@...ts.01.org,
        linux-kernel@...r.kernel.org, Yang Yang <yang.yang29@....com.cn>,
        Zeal Robot <zealci@....com.cn>, guo.xiaofeng@....com.cn,
        huang.junhua@....com.cn, dai.shixin@....com.cn
Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid

On Wed, Mar 30, 2022 at 10:29 PM CGEL <cgel.zte@...il.com> wrote:
> On Wed, Mar 30, 2022 at 10:48:12AM -0400, Paul Moore wrote:
> >
> > If audit is not generating SYSCALL records, even for invalid/ENOSYS
> > syscalls, I would consider that a bug which should be fixed.
>
> If we fix this bug, do you think audit invalid/ENOSYS syscalls better
> be forcible or be a rule that can be configure? I think configure is
> better.

It isn't clear to me exactly what you are asking, but I would expect
the existing audit syscall filtering mechanism to work regardless if
the syscall is valid or not.  Beware that there are some limitations
to the audit syscall filter, which are unfortunately baked into the
current design/implementation, which may affect this to some extent.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ