Re: Strange audit messages - whitespace

Re: Strange audit messages - whitespace

[Steve G]

>I get audit messages that look like this (with lots of 
>extra whitespace) for my new GConf domain. Any idea what 
>can cause this? 

This sounds like an old kernel bug. There was a patch on the audit mail list that
fixes it. It is pending being merged in the mm kernel. It only affects syslog  
messages. If you use the audit daemon, you won't see the problem.

-Steve Grubb


--- linux/kernel/audit.c.orig   2005-02-16 13:49:28.839925080 -0500
+++ linux/kernel/audit.c        2005-02-16 13:53:24.757060224 -0500
@@ -513,8 +513,8 @@
                if (!audit_pid) { /* No daemon */
                        int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
                        int len    = skb->len - offset;
-                       printk(KERN_ERR "%*.*s\n",
-                              len, len, skb->data + offset);
+                       skb->data[offset + len] = '\0';
+                       printk(KERN_ERR "%s\n", skb->data + offset);
                }
                kfree_skb(skb);
                ab->nlh = NULL;


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Strange audit messages - whitespace

[Stephen Smalley]

On Sun, 2005-04-24 at 09:28 -0700, Steve G wrote:
> >I get audit messages that look like this (with lots of 
> >extra whitespace) for my new GConf domain. Any idea what 
> >can cause this? 
> 
> This sounds like an old kernel bug. There was a patch on the audit mail list that
> fixes it. It is pending being merged in the mm kernel. It only affects syslog  
> messages. If you use the audit daemon, you won't see the problem.
> 
> -Steve Grubb
> 
> 
> --- linux/kernel/audit.c.orig   2005-02-16 13:49:28.839925080 -0500
> +++ linux/kernel/audit.c        2005-02-16 13:53:24.757060224 -0500
> @@ -513,8 +513,8 @@
>                 if (!audit_pid) { /* No daemon */
>                         int offset = ab->nlh ? NLMSG_SPACE(0) : 0;
>                         int len    = skb->len - offset;
> -                       printk(KERN_ERR "%*.*s\n",
> -                              len, len, skb->data + offset);
> +                       skb->data[offset + len] = '\0';
> +                       printk(KERN_ERR "%s\n", skb->data + offset);
>                 }
>                 kfree_skb(skb);
>                 ab->nlh = NULL;

Any reason that small bug fixes like this aren't upstreamed immediately
rather than waiting on the overall audit patchset?

Although I suppose that the real bug here is in printk's handling of the
"%*.*s" format, so either it should not support that format at all or
someone needs to find the bug in it and fix it.  Also, what does skb-
>data[offset+len] contain prior to setting it to the NUL character as
above?
 

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Strange audit messages - whitespace

[Chris Wright]

* Stephen Smalley (sds@tycho.nsa.gov) wrote:
> Any reason that small bug fixes like this aren't upstreamed immediately
> rather than waiting on the overall audit patchset?

No good reason.  I actually thought it went upstream already.  I'll push
it.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Strange audit messages - whitespace

[Steve G]

>IIRC, this is believed to be a bug in the handling of the "%*.*s" format
>by printk as used by the kernel audit framework.

Yes.

>What's the status on getting the patch by Peter Martucelli to eliminate that 
>usage upstreamed?

It got dropped from the -mm tree because of merge problems with Andi's code.
Andrew said it will be picked up again. So I'd say it will land in 2.6.13. In any
event, we are trying to get all the patches that were in the mm tree and dropped
into FC4 kernel this week. This includes the comm/exe patch.

-Steve Grubb

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Strange audit messages - whitespace

[Stephen Smalley]

On Sat, 2005-04-23 at 21:34 -0400, Ivan Gyurdiev wrote:
> I get audit messages that look like this (with lots of extra whitespace)
> for my new GConf domain. Any idea what can cause this? 
> 
> audit(1114306264.184:0): avc:  denied  { connectto } for  pid=21975
> exe=/usr/libexec/gconfd-2
> 
> audit(1114306274.010:0): avc:  denied  { write } for  pid=21975
> exe=/usr/libexec/gconfd-2

IIRC, this is believed to be a bug in the handling of the "%*.*s" format
by printk as used by the kernel audit framework.  What's the status on
getting the patch by Peter Martucelli to eliminate that usage
upstreamed?

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Strange audit messages - whitespace

[Ivan Gyurdiev]

I get audit messages that look like this (with lots of extra whitespace)
for my new GConf domain. Any idea what can cause this? 

audit(1114306264.184:0): avc:  denied  { connectto } for  pid=21975
exe=/usr/libexec/gconfd-2

audit(1114306274.010:0): avc:  denied  { write } for  pid=21975
exe=/usr/libexec/gconfd-2


-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.