Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp856126pxb; Tue, 29 Mar 2022 11:44:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsxKclEIcPR3PHPLxLzWz166r9IBMMmu8XFyvoK6MW43HWQaOjQfwXGT3i6Tm33vxdFbJ6 X-Received: by 2002:a05:6a00:3486:b0:4fa:bb7e:b4c7 with SMTP id cp6-20020a056a00348600b004fabb7eb4c7mr28741829pfb.4.1648579471489; Tue, 29 Mar 2022 11:44:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648579471; cv=none; d=google.com; s=arc-20160816; b=O0emtw/TsDbYazXLv+A761uWXR/8PhOv9xFj7Teg9dxory6/PTqvQ1BjNPLSqcCsU/ XSQ4yrC4E8BLNsf5et26gRTbgc0wOjmVcs0r8PExP9cqcVtDzvN51lQi636FSbBlk21l 2/8lUd3WQTtrNJKEjtiXyaRz6FbvBQ8Tc/j2eTDBnmMxAJs62/PEnff7Verz+REDMqbk aQ7TAdaiP2WDMdDvC33EO05MfD75lQN+wO2zLwHhB++b7ziedduoMUx4SEhNig9FuZRm lQZ2cl7DIcZ8VYx63bjra22skCtY94SXZmEyKVLGgd5PLeE6f+sfawGVDcXe6AB3o2uR lXNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=tcDOqO8nUmp5U1arBgXD7fySeQ1KaFukzqTCAXe202I=; b=njmUu3gqdGsK72IdaGPyq5zQllQTGgoI30xHrxcCPeyjjxt9l5mMOvOjfHzCnV4w5/ +kGF5FhoIOzgiY5GsBYUnMwOSyiihi/ff16DN7hkRyyZE1Rz9KKm/XtxaoSKGJ1h4dNJ vP3+pFd+kXGKyqrIgW6cH680iOIT00/Qblr5nO5cstVZrrTywTB7saPo6CC+EilrUgj9 YpvHTGDhZJaxpP3ZhVyKcua4oV/y8tZIu5D7bFdiiR4GBLG/PcuJCOFj+UB73Isbqsny 6lfmNGe3koSf9xN7GaP+akgRdLqBES68l8GXT+7fxPBhbX7ehNx+03HGaUgqr1f/VYQf agRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=rD56zmPy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l13-20020a170903120d00b001544015be4bsi19580651plh.355.2022.03.29.11.44.15; Tue, 29 Mar 2022 11:44:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20210112.gappssmtp.com header.s=20210112 header.b=rD56zmPy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237163AbiC2NNQ (ORCPT + 99 others); Tue, 29 Mar 2022 09:13:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39548 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235616AbiC2NNP (ORCPT ); Tue, 29 Mar 2022 09:13:15 -0400 Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 73D8E220D7 for ; Tue, 29 Mar 2022 06:11:31 -0700 (PDT) Received: by mail-ed1-x535.google.com with SMTP id h1so20666164edj.1 for ; Tue, 29 Mar 2022 06:11:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tcDOqO8nUmp5U1arBgXD7fySeQ1KaFukzqTCAXe202I=; b=rD56zmPy9HkRm2KZQu60QRV2njPC7BVwxrSovvJFh9+wXZKo5tjwqGD0l7HxcwCf6E 8t296tsMNXQt0Qo7EJM5Ug4GQ5mXh/58RYT6+4zeFzx5wwT9yrcBJ27rTtG4Fa7+zOHA aA3R7o3fHfpNvoPUj59wITjB4H+1ISjWCJnxMPeZCzdHjkZez3uRFOEN2W82DJP0UZTr bVUCb3r2IE0squDRYcJQ6r/gtKJZE773YW8F8U7105y5DuA9Yp3dsQwfmJMeHPAYU9vB aGNHSk/e8yoyZs8SIdrfk0hflFgNs1xDtCh+AK1IIMBrjTyYo6fqDHPwu+ygFl28h+SR piGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tcDOqO8nUmp5U1arBgXD7fySeQ1KaFukzqTCAXe202I=; b=olRYY1wucJiNkco80kzgpoxP3qbB5xlImG4moWof9HJDRlewl6z5z7heF8zU5F2Yyn cpRcqf7lPR1Ov1OOQ2xyrqDKb5CwabNzaVeylthUeLKI+38pqvgH1EzpMRfAzXM3yt9t 5HCKzfxM6DSfFTgs0wMIRIcZRN1aoM63/xwOh+k2mmAPPFR4mek84PQhzoSi9JL64CJj hpl8w7or1v6QHtsK0LCQ3/yIs1OWjIG3VYm9UoKn/qAfZevrYqP69NtiECGeTT2eXpNN P9kJ5YGWX9pG2+bexk5PQmqLgqSmYJctOf8N5cOdPrpkHb5b0AHXz5D4kwHtNK3Kka6o 9o1g== X-Gm-Message-State: AOAM530en4IPOEoMj337nhlj3FbgB3YTKtDCIZPaGqLc/iQ83XFwT86C bypB7rCls8QXW48HVRWVTZNps2g/7U6MwjXAxNJt X-Received: by 2002:a05:6402:350d:b0:419:547f:134a with SMTP id b13-20020a056402350d00b00419547f134amr4528698edd.405.1648559489927; Tue, 29 Mar 2022 06:11:29 -0700 (PDT) MIME-Version: 1.0 References: <20220326094654.2361956-1-yang.yang29@zte.com.cn> <202203270449.WBYQF9X3-lkp@intel.com> <62426553.1c69fb81.bb808.345c@mx.google.com> <62427b5c.1c69fb81.fc2a7.d1af@mx.google.com> In-Reply-To: <62427b5c.1c69fb81.fc2a7.d1af@mx.google.com> From: Paul Moore Date: Tue, 29 Mar 2022 09:11:19 -0400 Message-ID: Subject: Re: [PATCH] audit: do a quick exit when syscall number is invalid To: CGEL Cc: rth@twiddle.net, ink@jurassic.park.msu.ru, mattst88@gmail.com, eparis@redhat.com, linux-audit@redhat.com, kbuild-all@lists.01.org, linux-kernel@vger.kernel.org, Yang Yang , Zeal Robot Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 28, 2022 at 11:22 PM CGEL wrote: > On Mon, Mar 28, 2022 at 11:06:12PM -0400, Paul Moore wrote: > > On Mon, Mar 28, 2022 at 9:48 PM CGEL wrote: > > > Sorry could anybody give a hand to solve this? It works well on x86_64 and arm64. > > > I have no alpha environment and not familiar to this arch, much thanks! > > > > Regardless of if this is fixed, I'm not convinced this is something we > > want to merge. After all, a process executed a syscall and we should > > process it like any other; just because it happens to be an > > unrecognized syscall on a particular kernel build doesn't mean it > > isn't security relevant (probing for specific syscall numbers may be a > > useful attack fingerprint). > > Thanks for your reply. > > But syscall number less than 0 is even invalid for auditctl. So we > will never hit this kind of audit rule. And invalid syscall number > will always cause failure early in syscall handle. > > sh-4.2# auditctl -a always,exit -F arch=b64 -S -1 > Syscall name unknown: -1 You can add an audit filter without explicitly specifying a syscall: % auditctl -a exit,always -F auid=1000 % auditctl -l -a always,exit -S all -F auid=1000 -- paul-moore.com