From owner-freebsd-bugs@FreeBSD.ORG Fri Dec 3 00:10:11 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD347106567A for ; Fri, 3 Dec 2010 00:10:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7AA6E8FC1F for ; Fri, 3 Dec 2010 00:10:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id oB30ABqA073817 for ; Fri, 3 Dec 2010 00:10:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id oB30ABCr073816; Fri, 3 Dec 2010 00:10:11 GMT (envelope-from gnats) Resent-Date: Fri, 3 Dec 2010 00:10:11 GMT Resent-Message-Id: <201012030010.oB30ABCr073816@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Garrett Wollman Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0630E1065696 for ; Fri, 3 Dec 2010 00:01:15 +0000 (UTC) (envelope-from wollman@khavrinen.csail.mit.edu) Received: from khavrinen.csail.mit.edu (khavrinen.csail.mit.edu [128.30.28.20]) by mx1.freebsd.org (Postfix) with ESMTP id BB1058FC13 for ; Fri, 3 Dec 2010 00:01:14 +0000 (UTC) Received: from khavrinen.csail.mit.edu (localhost [127.0.0.1]) by khavrinen.csail.mit.edu (8.14.4/8.14.4) with ESMTP id oB2NhqBZ082225 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL CN=khavrinen.csail.mit.edu issuer=Client+20CA) for ; Thu, 2 Dec 2010 18:43:52 -0500 (EST) (envelope-from wollman@khavrinen.csail.mit.edu) Received: (from wollman@localhost) by khavrinen.csail.mit.edu (8.14.4/8.14.4/Submit) id oB2Nhqjq082224; Thu, 2 Dec 2010 18:43:52 -0500 (EST) (envelope-from wollman) Message-Id: <201012022343.oB2Nhqjq082224@khavrinen.csail.mit.edu> Date: Thu, 2 Dec 2010 18:43:52 -0500 (EST) From: Garrett Wollman To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/152796: fcntl(2) audit records should not be labeled "file attribute modify" X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Garrett Wollman List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2010 00:10:11 -0000 >Number: 152796 >Category: kern >Synopsis: fcntl(2) audit records should not be labeled "file attribute modify" >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Dec 03 00:10:11 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Garrett Wollman >Release: FreeBSD 8.1-RELEASE-p2 amd64 >Organization: MIT Computer Science & Artificial Intelligence Lab >Environment: 8.1 system with auditing turned on >Description: /etc/security/audit_class describes class 0x8 as "file attribute modify". This seems like a reasonable thing to audit, but unfortunately, all calls to fcntl(2) -- which does not modify any file attributes -- are included in this category. Any program which uses POSIX-style locking will flood the audit file with spurious audit records, while the interesting system calls (those that call VOP_SETATTR) will be buried. (And for whatever reason, auditreduce(1) deosn't appear to perform as advertised when given the "-v" flag.) >How-To-Repeat: Enable auditing with class "fm". praudit /var/audit/current. Hit ^C when all you see is "fcntl(2)". >Fix: Move fcntl to a different audit class (probably "other" or maybe "ioctl"). >Release-Note: >Audit-Trail: >Unformatted: