Bug 228374 - auditpipe(4) does not emit lgeth(2), chflagsat(2) and setfib(2)
Summary: auditpipe(4) does not emit lgeth(2), chflagsat(2) and setfib(2)
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: tests (show other bugs)
Version: CURRENT
Hardware: amd64 Any
: --- Affects Many People
Assignee: freebsd-testing (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-20 11:23 UTC by Aniket Pandey
Modified: 2020-05-17 02:57 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aniket Pandey 2018-05-20 11:23:32 UTC 
Overview
--------------
While creating a test-suite for audit framework. I noticed that two system calls, 

* lgetfh(2) : Get file handle of a symbolic link
* chflagsat(2): Change file-flags' variant

do not get audited even if the system wide audit mask is set according to each system call, i.e "fm" for chflagsat(2) and "fa" for lgetfh(2)

Steps to reproduce (For lgetfh(2), can be done similarly for chflagsat(2))
----------------------------
1) Set "flag:fa" in "/etc/security/audit_control"
2) Enter "praudit /dev/auditpipe | grep "lgetfh" " in a separate window, this will wait for any event to occur.
3) Compile and execute this code snippet: https://pastebin.com/EwstzSUz

Expected Result
------------------------
You'll not notice anything in the praudit window, signifying that the lgetfh(2) audit event was not emitted by the auditpipe(4).

Additional Information
---------------------------------
1) To confirm that lgetfh(2) was actually triggered, run before executing the code.
"sudo dtrace -i syscall:freebsd:lgetfh:entry"

This will match an lgetfh(2) probe.

2) The system call "getfh" is audited as "nfs_getfh" which has a different audit class altogether.
Comment 1 Aniket Pandey 2018-07-21 15:47:23 UTC 
Adding setfib(2) as a part of this PR, since the behaviour is same as that of chflagsat(2), lgetfh(2).
Comment 2 commit-hook freebsd_committer freebsd_triage 2018-07-21 16:35:17 UTC 
A commit references this bug:

Author: asomers
Date: Sat Jul 21 16:34:39 UTC 2018
New revision: 336580
URL: https://svnweb.freebsd.org/changeset/base/336580

Log:
  audit(4): add test cases for chflagsat(2), lgetfh(2), setfib(2)

  These three syscalls aren't currently audited correctly, so the tests are
  marked as expected failures.

  PR:		228374
  Submitted by:	aniketp
  MFC after:	2 weeks
  Sponsored by:	Google, Inc. (GSoC 2018)
  Differential Revision:	https://reviews.freebsd.org/D16379

Changes:
  head/tests/sys/audit/file-attribute-access.c
  head/tests/sys/audit/file-attribute-modify.c
  head/tests/sys/audit/network.c
Comment 3 commit-hook freebsd_committer freebsd_triage 2018-07-22 14:12:20 UTC 
A commit references this bug:

Author: asomers
Date: Sun Jul 22 14:11:53 UTC 2018
New revision: 336604
URL: https://svnweb.freebsd.org/changeset/base/336604

Log:
  Fix audit of chflagsat, lgetfh, and setfib

  These syscalls were always supposed to have been auditted, but due to
  oversights never were.

  PR:		228374
  Reported by:	aniketp
  Reviewed by:	aniketp
  MFC after:	2 weeks
  Differential Revision:	https://reviews.freebsd.org/D16388

Changes:
  head/sys/security/audit/audit_bsm.c
  head/tests/sys/audit/file-attribute-access.c
  head/tests/sys/audit/file-attribute-modify.c
  head/tests/sys/audit/network.c
Comment 4 Alan Somers freebsd_committer freebsd_triage 2020-05-17 02:57:13 UTC 
I fixed this long ago, but forgot to close the bug.  I never MFCed to stable/11.  By now, it's too late to get this change in 11.4-RELEASE, so I'm just going to cancel the MFC and close the bug.