-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: rules with 'exit' filter do not generate any audit events #138
Comments
Hmm, two things come to mind for debugging next steps:
if (context->current_state != AUDIT_STATE_RECORD)
goto out;
@The-Mule do you think you could take a shot at debugging this further? |
Just a hunch, but did you try |
On 2022-08-10 11:50, Ondrej Mosnáček wrote:
Just a hunch, but did you try `exit=EACCES` instead of `exit=-EACCES`?
I have tried both, but no difference.
|
On 2022-08-10 11:33, Paul Moore wrote:
@The-Mule do you think you could take a shot at debugging this further?
I'd already started looking at this... I'll start with your suggestions.
|
Great, let us know what you find out ... and please don't limit yourself to just my suggestions above :) |
On 2022-08-10 12:31, Paul Moore wrote:
Great, let us know what you find out ... and please don't limit yourself to just my suggestions above :)
Ok, first suggestion is a bust. No change in behaviour.
|
I don't fully understand the interactions here, but this seems to help: https://gist.github.com/sergio-correia/acf68f7d0a5afe39ce42e39197d4af9d -- @rgbriggs: could please try it out and check if it makes sense? |
On 2022-08-11 12:31, Sergio Correia wrote:
I don't fully understand the interactions here, but this seems to help: https://gist.github.com/sergio-correia/acf68f7d0a5afe39ce42e39197d4af9d -- @rgbriggs: could please try it out and check if it makes sense?
That doesn't change anything here. How did you come up with this?
|
posted v1: [PATCH ghak138] audit: move audit_return_fixup before the filters |
audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: #138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com>
The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: #138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com>
posted v2 Message-Id: cover.1661449312.git.rgb@redhat.com |
upstreamed: d4fefa4 (audit/stable-6.0) audit: move audit_return_fixup before the filters |
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
I have a simple audit-testsuite test for this in my fork https://github.com/The-Mule/audit-testsuite/tree/filter-exit (it only checks exit filter for open* syscalls). Is it something we want to have in audit-testsuite? |
I think that would be a nice addition, although I don't like the thought of the test adding and deleting users. Perhaps you could modify the test to do something that we know would always fail with a predictable error code, for example:
|
Good idea, thanks for the hint. I'll fix that and file a PR. |
Great, thank you! |
The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d4fefa4 upstream. The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com>
The success and return_code are needed by the filters. Move audit_return_fixup() before the filters. This was causing syscall auditing events to be missed. Link: linux-audit/audit-kernel#138 Cc: stable@vger.kernel.org Fixes: 12c5e81 ("audit: prepare audit_context for use in calling contexts beyond syscalls") Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: manual merge required] Signed-off-by: Paul Moore <paul@paul-moore.com>
With the kernel fix upstream I think we can close out this issue, if anyone disagrees feel free to leave a comment in the issue and we can reopen it. |
Hello folks, long time no see :).
on Fedora I am trying to catch syscalls with a specific exit value (EACCES=-13) by the following rule:
I am triggering the EACCES syscall as follows:
But there are no events generated:
What I would expect is to see something like this:
This worked until 5.15.18-100.fc34.x86_64 and stop working in 5.16.5-100.fc34.x86_64 and it is like that since then (i.e. also with 5.19.0-0.rc2.21.fc37.x86_64) It seems to be related to commit 12c5e81 (it is also possible we are wrong here).
Is there perhaps something I am doing wrong?
The text was updated successfully, but these errors were encountered: