[redhat-lspp] kernel bug: fchownat() generates wrong audit record

Mon, 07 Aug 2006 07:43:57 -0700 

Hi folks,

I found out that the fchownat() syscall generates an incorrect audit
record on ppc64. It shows the syscall number for chown() instead of
fchownat(). This is with LSPP.44 kernel. x86_64 has no problems and i386
didn't produce any audit record for the fchownat() syscall.

I'm attaching the test program I used to diagnose this. Here's a
transcript:

[EMAIL PROTECTED] ~]# touch /tmp/test.txt
[EMAIL PROTECTED] ~]# auditctl -w /tmp/test.txt -S fchownat
[EMAIL PROTECTED] ~]# auditctl -l
LIST_RULES: exit,always watch=/tmp/test.txt
syscall=open,creat,link,unlink,chmod,lchown,rename,mkdir,rmdir,symlink,truncate,ftr
uncate,fchmod,fchown,chown,fchownat
[EMAIL PROTECTED] ~]# ls -l /tmp/test.txt
-rw-r--r-- 1 root root 0 Aug  3 19:50 /tmp/test.txt
[EMAIL PROTECTED] ~]# /tmp/fchownat /tmp test.txt testuser
[EMAIL PROTECTED] ~]# ls -l /tmp/test.txt
-rw-r--r-- 1 testuser testuser 0 Aug  3 19:50 /tmp/test.txt
[EMAIL PROTECTED] ~]# ausearch -ts today
<skip>
----
time->Thu Aug  3 19:52:03 2006
type=PATH msg=audit(1154652723.213:9913): item=0
name="/proc/self/fd/3/test.txt" inode=161935 dev=08:05 mode=0100644
ouid=0 ogi
d=0 rdev=00:00 obj=staff_u:object_r:staff_tmp_t:s0
type=CWD msg=audit(1154652723.213:9913):  cwd="/root"
type=SYSCALL msg=audit(1154652723.213:9913): arch=14 syscall=181
success=yes exit=0 a0=ff9ea410 a1=1f7 a2=1f7 a3=fffffffffefefe
ff items=1 ppid=10238 pid=11313 auid=500 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 comm="fchownat" exe="
/tmp/fchownat" subj=staff_u:staff_r:staff_t:s0-s15:c0.c255 key=(null)
----
<skip>

syscall=181 corresponds to __NR_chown in ppc and ppc64. __NR_fchownat
would be 289.

Regards,
Thiago Jung Bauermann
Software Engineer
IBM Linux Technology Center

#define _ATFILE_SOURCE 1

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <pwd.h>
#include <fcntl.h>

/*
 * usage: ./fchownat <dir> <filename> <username>
 * example: ./fchownat /tmp test.txt testuser
 */
int main(int argc, char *argv[]) {
	int dirfd;
	uid_t uid;
	gid_t gid;
	struct passwd *pw_info;

	dirfd = open(argv[1], O_RDONLY);
	if (dirfd == -1) {
		perror("dirfd");
		exit(EXIT_FAILURE);
	}

	pw_info = getpwnam(argv[3]);
	if (pw_info == NULL) {
		fprintf(stderr, "getpwnam failed. invalid username?\n");
	}
	uid = pw_info->pw_uid;
	gid = pw_info->pw_gid;

	if (fchownat(dirfd, argv[2], uid, gid, 0) == -1) {
		perror("fchownat");
		exit(EXIT_FAILURE);
	}

	close(dirfd);
}

--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

Reply via email to