On Mon, May 14, 2007 at 10:46:36AM -0500, Klaus Weidner wrote: > Bug description: When I add an audit watch on a file with no arguments, I > get perm=rwxa but on ia64, changes to the mode and context aren't > audited. I get audit records on i386 and x86_64. > > See also: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239887 > > The sanity check in audit_match_class() is wrong, AUDIT_BITMASK_SIZE is > 64, providing space for 2048 syscalls in 64 * 32bit integers. The > comparison only supports 256 syscalls (sizeof __u32 is 4), and silently > returns "no match" for valid higher-numbered syscalls. > > This breaks class-based audit for all syscalls on ia64 since on that > architecture syscall numbers start at 1024. It breaks some syscall audit > on other architectures also, for example __NR_fchmodat is 306 on x86. > > I'd suggest adding a printk() in addition to returning 0 - you don't want > to silently ignore unknown or unsupported syscalls when auditing. > > Signed-off-by: Klaus Weidner <[EMAIL PROTECTED]> > > --- linux-2.6.18.i686/kernel/auditfilter.c.lspp.80 2007-05-11 > 17:06:08.000000000 -0500 > +++ linux-2.6.18.i686/kernel/auditfilter.c 2007-05-11 17:09:37.000000000 > -0500 > @@ -306,7 +306,7 @@ > > int audit_match_class(int class, unsigned syscall) > { > - if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) > + if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) > return 0; > if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) > return 0;
You likely need to fix audit_register_class() if this is true. Ciao, Marcus -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
