Date: Sun, 20 May 2018 11:23:32 +0000 From: bugzilla-noreply@freebsd.org To: testing@freebsd.org Subject: [Bug 228374] auditpipe(4) does not emit lgeth(2) and chflagsat(2) Message-ID: <bug-228374-32464@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228374 Bug ID: 228374 Summary: auditpipe(4) does not emit lgeth(2) and chflagsat(2) Product: Base System Version: CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Many People Priority: --- Component: tests Assignee: testing@freebsd.org Reporter: aniketp@iitk.ac.in Overview -------------- While creating a test-suite for audit framework. I noticed that two system calls, * lgetfh(2) : Get file handle of a symbolic link * chflagsat(2): Change file-flags' variant do not get audited even if the system wide audit mask is set according to each system call, i.e "fm" for chflagsat(2) and "fa" for lgetfh(2) Steps to reproduce (For lgetfh(2), can be done similarly for chflagsat(2)) ---------------------------- 1) Set "flag:fa" in "/etc/security/audit_control" 2) Enter "praudit /dev/auditpipe | grep "lgetfh" " in a separate window, this will wait for any event to occur. 3) Compile and execute this code snippet: https://pastebin.com/EwstzSUz Expected Result ------------------------ You'll not notice anything in the praudit window, signifying that the lgetfh(2) audit event was not emitted by the auditpipe(4). Additional Information --------------------------------- 1) To confirm that lgetfh(2) was actually triggered, run before executing the code. "sudo dtrace -i syscall:freebsd:lgetfh:entry" This will match an lgetfh(2) probe. 2) The system call "getfh" is audited as "nfs_getfh" which has a different audit class altogether. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-228374-32464>