kern/152796: fcntl(2) audit records should not be labeled "file
attribute modify"
Garrett Wollman
wollman at khavrinen.csail.mit.edu
Fri Dec 3 00:10:11 UTC 2010
>Number: 152796
>Category: kern
>Synopsis: fcntl(2) audit records should not be labeled "file attribute modify"
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Dec 03 00:10:11 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Garrett Wollman
>Release: FreeBSD 8.1-RELEASE-p2 amd64
>Organization:
MIT Computer Science & Artificial Intelligence Lab
>Environment:
8.1 system with auditing turned on
>Description:
/etc/security/audit_class describes class 0x8 as "file
attribute modify". This seems like a reasonable thing to audit, but
unfortunately, all calls to fcntl(2) -- which does not modify any file
attributes -- are included in this category. Any program which uses
POSIX-style locking will flood the audit file with spurious audit
records, while the interesting system calls (those that call
VOP_SETATTR) will be buried. (And for whatever reason, auditreduce(1)
deosn't appear to perform as advertised when given the "-v" flag.)
>How-To-Repeat:
Enable auditing with class "fm". praudit /var/audit/current.
Hit ^C when all you see is "fcntl(2)".
>Fix:
Move fcntl to a different audit class (probably "other" or
maybe "ioctl").
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list