From: Richard Du <duxiong@gmail.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: How to define audit rule for one bit *not* set for a syscall argument?
Date: Thu, 9 Mar 2023 10:07:14 +0800 [thread overview]
Message-ID: <CAH2vwOvV+vBOejtyKR8bsjV-7Voe32kvjuqF4wa_p2o-Wz1MBg@mail.gmail.com> (raw)
In-Reply-To: <12326100.O9o76ZdvQC@x2>
[-- Attachment #1.1: Type: text/plain, Size: 1559 bytes --]
Yes, the case is that we would like to filter out the "thread creation" and
only keep the "process creation", by excluding the CLONE_THREAD flag bit of
a0 of clone() syscall.
Without the audit comparator support for this case, we have to filter out
the "thread creation" in user space which introduces a performance penalty.
Regards,
Richard
On Thu, Mar 9, 2023 at 6:22 AM Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> On Wednesday, March 8, 2023 8:46:57 AM EST Richard Du wrote:
> > I'm trying to define an audit rule with auditctl for clone() syscall,
> and I
> > would expect that the a0 of clone() syscall (i.e. the clone_flags
> > argument) without the CLONE_THREAD flag bit being set.
> >
> > int clone(int (*fn)(void *), void *stack, int flags, void *arg, ...
> > /* pid_t *parent_tid, void *tls, pid_t *child_tid */ );
> >
> > From man page of auditctl, -F option build a rule file: name, operation,
> > value.
> > -F [n=v | n!=v | n<v | n>v | n<=v | n>=v | n&v | n&=v]
> >
> > I can understand that, the n&v (Audit_bitmask) means any bit of a bitmast
> > is set, and the n&=v (Audit_bittest) means all bits of a bitmask are set.
> >
> > While my question is, how to build a rule which means "none of bit of a
> > bitmask is set", i.e. ( ! n&=v ). If the current audit comparator dosen't
> > support this, can we add the support in furture?
>
> The comparator does not support this. This is a corner case in which this
> is
> the first time someone ever needed it.
>
> -Steve
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 2075 bytes --]
[-- Attachment #2: Type: text/plain, Size: 107 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2023-03-09 13:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-08 13:46 How to define audit rule for one bit *not* set for a syscall argument? Richard Du
2023-03-08 22:22 ` Steve Grubb
2023-03-09 2:07 ` Richard Du [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAH2vwOvV+vBOejtyKR8bsjV-7Voe32kvjuqF4wa_p2o-Wz1MBg@mail.gmail.com \
--to=duxiong@gmail.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).