Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
fuzz testing lets kernel audit complains in the linkat syscall only
11 views
Skip to first unread message
Toralf Förster
May 20, 2013, 4:40:03 PM5/20/13
to
While fuzz testing a 3.9.3 kernel I'm wonder why the kernel audit does complain
about a file in the syscall "unlinkat" - but audit does not complain when that file
was created/modified etc.
If this is intended - please press the delete button now.
Not ? Ok.
At a 32bit stable Gentoo linux with kernel 3.9.3 I got messages like:
kernel: type=1702 audit(1369079376.420:37): op=linkat action=denied pid=13536 comm="trinity-child1" path="/dev" dev="loop0" ino=8146
when I chrooted into a 32bit stable Gentoo Linux image and run a fuzz tester:
$> trinity -C 4 -m -x linkat
(4 childs, monochrome, excluded syscall "linkat" to test only those cases,
where linkat was not directly called by the fuzzer),
The appropriate log entry gives:
$> cat x
[13536] [35] unlinkat(dfd=390, pathname="
���T̫̺̳o̬̜ ì̬͎̲̟nvoke ̬ͅt̕he ḥi̼̦͈̼ve-m̷̘̝̱í͚̞̦̳nd rep͇re̴s̥ent̺̞̰i͟n̮̦̖̟g ̳chaós. I̠͍̮n͇̹̪̬vo̸ki͜ng͙ ̠̥ͅt̰͖͞h̫̼̪e̟̩̝ fe̤͇̝̱elin̸̰g ͍of̖͓̦̥ ̘͘ch͝ao͙̟s̤̞. Wi͖͖͡ͅt̘̯͘h ̭̪̕oṳ̞̭̤t̨͚̥̗ orde͓͖̝̙r. ̣̭T̪̩̼he̫̯͜ ̨N̟e͔̤zp̮̭͈̟é͉͈ṛdi̞á͕̹
(the file "x" is attached, it contains the next log line of the next
trinity child too due to a missing new line).
FWIW the used Gentoo linux image is an user mode linux image.
I however just mounted it using the loop device, chrooted into it and
run the fuzzer instead of calling that image with a linux exe.
--
MfG/Sincerely
Toralf Förster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
about a file in the syscall "unlinkat" - but audit does not complain when that file
was created/modified etc.
If this is intended - please press the delete button now.
Not ? Ok.
At a 32bit stable Gentoo linux with kernel 3.9.3 I got messages like:
kernel: type=1702 audit(1369079376.420:37): op=linkat action=denied pid=13536 comm="trinity-child1" path="/dev" dev="loop0" ino=8146
when I chrooted into a 32bit stable Gentoo Linux image and run a fuzz tester:
$> trinity -C 4 -m -x linkat
(4 childs, monochrome, excluded syscall "linkat" to test only those cases,
where linkat was not directly called by the fuzzer),
The appropriate log entry gives:
$> cat x
[13536] [35] unlinkat(dfd=390, pathname="
���T̫̺̳o̬̜ ì̬͎̲̟nvoke ̬ͅt̕he ḥi̼̦͈̼ve-m̷̘̝̱í͚̞̦̳nd rep͇re̴s̥ent̺̞̰i͟n̮̦̖̟g ̳chaós. I̠͍̮n͇̹̪̬vo̸ki͜ng͙ ̠̥ͅt̰͖͞h̫̼̪e̟̩̝ fe̤͇̝̱elin̸̰g ͍of̖͓̦̥ ̘͘ch͝ao͙̟s̤̞. Wi͖͖͡ͅt̘̯͘h ̭̪̕oṳ̞̭̤t̨͚̥̗ orde͓͖̝̙r. ̣̭T̪̩̼he̫̯͜ ̨N̟e͔̤zp̮̭͈̟é͉͈ṛdi̞á͕̹
(the file "x" is attached, it contains the next log line of the next
trinity child too due to a missing new line).
FWIW the used Gentoo linux image is an user mode linux image.
I however just mounted it using the loop device, chrooted into it and
run the fuzzer instead of calling that image with a linux exe.
--
MfG/Sincerely
Toralf Förster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
Toralf Förster
May 20, 2013, 5:10:02 PM5/20/13
to
On 05/20/2013 10:34 PM, Toralf Förster wrote:
> While fuzz testing a 3.9.3 kernel I'm wonder why the kernel audit does complain
> about a file in the syscall "unlinkat" - but audit does not complain when that file
> was created/modified etc.
sry - forget that mail, symlinkat and readlinkat give now audit logs too.
> While fuzz testing a 3.9.3 kernel I'm wonder why the kernel audit does complain
> about a file in the syscall "unlinkat" - but audit does not complain when that file
> was created/modified etc.
--
MfG/Sincerely
Toralf Förster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
0 new messages