Date: Sun, 20 May 2018 11:23:32 +0000 From: bugzilla-noreply@freebsd.org To: testing@freebsd.org Subject: [Bug 228374] auditpipe(4) does not emit lgeth(2) and chflagsat(2) Message-ID: <bug-228374-32464@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D228374 Bug ID: 228374 Summary: auditpipe(4) does not emit lgeth(2) and chflagsat(2) Product: Base System Version: CURRENT Hardware: amd64 OS: Any Status: New Severity: Affects Many People Priority: --- Component: tests Assignee: testing@freebsd.org Reporter: aniketp@iitk.ac.in Overview -------------- While creating a test-suite for audit framework. I noticed that two system calls,=20 * lgetfh(2) : Get file handle of a symbolic link * chflagsat(2): Change file-flags' variant do not get audited even if the system wide audit mask is set according to e= ach system call, i.e "fm" for chflagsat(2) and "fa" for lgetfh(2) Steps to reproduce (For lgetfh(2), can be done similarly for chflagsat(2)) ---------------------------- 1) Set "flag:fa" in "/etc/security/audit_control" 2) Enter "praudit /dev/auditpipe | grep "lgetfh" " in a separate window, th= is will wait for any event to occur. 3) Compile and execute this code snippet: https://pastebin.com/EwstzSUz Expected Result ------------------------ You'll not notice anything in the praudit window, signifying that the lgetf= h(2) audit event was not emitted by the auditpipe(4). Additional Information --------------------------------- 1) To confirm that lgetfh(2) was actually triggered, run before executing t= he code. "sudo dtrace -i syscall:freebsd:lgetfh:entry" This will match an lgetfh(2) probe. 2) The system call "getfh" is audited as "nfs_getfh" which has a different audit class altogether. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-228374-32464>