fuzz testing lets kernel audit complains in the linkat syscall only

From: Toralf FÃrster
Date: Mon May 20 2013 - 16:34:15 EST

Next message: Linus Walleij: "Re: [PATCH] arm/mach-u300/dummyspichip: Use module_spi_driver toregister driver"
Previous message: Andi Kleen: "Re: [PATCH v3 net-next 3/4] ixgbe: Add support for ndo_ll_poll"
Next in thread: Toralf FÃrster: "Re: fuzz testing lets kernel audit complains in the linkat syscallonly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While fuzz testing a 3.9.3 kernel I'm wonder why the kernel audit does complain
about a file in the syscall "unlinkat" - but audit does not complain when that file
was created/modified etc.

If this is intended - please press the delete button now.

Not ? Ok.

At a 32bit stable Gentoo linux with kernel 3.9.3 I got messages like:
kernel: type=1702 audit(1369079376.420:37): op=linkat action=denied pid=13536 comm="trinity-child1" path="/dev" dev="loop0" ino=8146

when I chrooted into a 32bit stable Gentoo Linux image and run a fuzz tester:
$> trinity -C 4 -m -x linkat

(4 childs, monochrome, excluded syscall "linkat" to test only those cases,
where linkat was not directly called by the fuzzer),

The appropriate log entry gives:
$> cat x
[13536] [35] unlinkat(dfd=390, pathname="
ïïïTÌÌÌoÌÌ ÃÌÍÌÌnvÌÌÌÌÌÌoÍÌÌÌÌkÍÍÌÍÌeÌÌÌÍÌÍ ÌÍtÌhÌÍÌÍÍeÌÌÌÍÌ ÌÍÌÍÌÍÌÍáiÌÌÍÌvÌÌÍÌÍeÍÌÌÍÌÌ-mÌÌÌÌÃÍÌÌÌnÌÌÌÌÌÍdÌÌÌÍÌ ÌÌÌÍÍrÌÍÌÌÍÍÌÍepÍrÌÌÌÍÍÍÌeÌsÌeÌÌÌÍÍÌÌnÌÍÌÍÌÌÌÌtÌÌÌiÍnÌÌÌÌgÌÍÌÌÍÌÌ ÌcÌÌÌÌÌÌÌhÌÌÍÌÍÌÍÍaÌÍÌÌÌÌÌÃÌÌÌÌÌÍsÌÌÌÌÌ.ÌÌÌÌÍ ÌÌÌÌÌÌÌÌIÌÍÌnÍÌÌÌvÌÍÌÌÌoÌkÌÌÍÍÌÍiÍnÌÌÌÍÌÌgÍ ÌÌÍtÌÍÍhÌÌÌeÌÌÌ ÌÌÌÌÍfeÌÍÌÌeÍÌÌÌÌÍÍlÍÌÌÍÌÌiÌÌÍÌÌÌÍÌnÌÌgÌÌÌÌÍÌÍ ÍoÍÍÌÌÍfÌÍÌÌ ÌÍcÌÌÌÌÍÍÌhÍaÌÍÍÌÌÍÍoÍÌsÌÌ.ÌÌÌÌÌÌÍ ÌÌÍÍÌÌÌÌWÌÌÌÌÌÌÍiÍÍÍÍtÌÌÍhÌÌÌÌÌÌÌÌ ÌÌÌoÌÌÌÌÌÌÌÍáÌÌÌtÌÍÌÌ ÌÌÌÌÌÌÌoÌÌÌÌÍrÌÌÌÌÌdÌÍÌÍÌÌÍÍeÍÍÌÌrÌÍÌÌÌÌ.ÌÌÌÌÍ ÌÌTÌÌÌhÌÌÌÍÌeÌÌÍ ÌNÌeÍÌzpÌÌÍÌÃÍÍáÌÌÌÌÍdÌÌÌÍÍiÌÃÍÌ

(the file "x" is attached, it contains the next log line of the next
trinity child too due to a missing new line).

FWIW the used Gentoo linux image is an user mode linux image.
I however just mounted it using the loop device, chrooted into it and
run the fuzzer instead of calling that image with a linux exe.

--
MfG/Sincerely
Toralf FÃrster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3
[13536] [35] unlinkat(dfd=390, pathname="
¿ìÃTÌÌÌoÌÌ ÃÌÍÌÌnvÌÌÌÌÌÌoÍÌÌÌÌkÍÍÌÍÌeÌÌÌÍÌÍ ÌÍtÌhÌÍÌÍÍeÌÌÌÍÌ ÌÍÌÍÌÍÌÍáiÌÌÍÌvÒÌÌÍÌÍeÍÌÌÍÌÌ-mÌÌÌÌÃÍÌÌÌnÌÌÌÌÌÍdÌÌÌÍÌ ÌÌÌÍÍrÌÍÌÌÍÍÌÍepÍrÌÌÌÍÍÍÌeÌsÌeÌÌÌÍÍÌÌnÌÍÌÍÌÌÌÌtÌÌÌiÍnÒÌÌÌÌgÌÍÌÌÍÌÌ ÌcÌÌÌÌÌÌÌhÌÌÍÌÍÌÍÍaÌÍÌÌÌÌÌÃÌÌÌÌÌÍsÌÌÌÌÌ.ÌÌÌÌÍ ÌÌÌÌÌÌÌÌIÌÍÌnÍÌÌÌvÌÍÌÌÌoÌkÒÌÌÍÍÌÍiÍnÌÌÌÍÌÌgÍ ÌÌÍtÌÍÍhÌÌÌeÌÌÌ ÌÌÌÌÍfeÌÍÌÌeÍÌÌÌÌÍÍlÍÌÌÍÌÌiÌÌÍÌÌÌÍÌnÌÌgÌÌÌÌÍÌÍ ÍoÍÍÌÌÍfÌÍÌÌ ÌÍcÌÌÌÌÍÍÌhÍaÌÍÍÌÌÍÍoÍÌsÌÌ.ÌÌÌÌÌÌÍ ÌÌÍÍÌÌÌÌWÌÌÌÌÌÌÍiÍÍÍÍtÌÌÍhÌÌÌÌÌÌÌÌ ÌÌÌoÌÌÌÌÌÌÌÍáÌÌÌtÌÍÌÌ ÌÌÌÌÌÌÌoÌÌÌÌÍrÌÌÌÌÌdÌÍÌÍÌÌÍÍeÍÍÌÌrÌÍÌÌÌÌ.ÌÌÌÌÍ ÌÌTÌÌÌhÌÌÌÍÌeÌÌÍ ÌNÌeÒÍÌzpÌÌÍÌÃÍÍáÌÌÌÌÍdÌÌÌÍÍiÌÃÍÌ[13537] [0] setgroups16(gidsetsize=0x61dc2fe3, grouplist=4097) = -1 (Operation not permitted)

Next message: Linus Walleij: "Re: [PATCH] arm/mach-u300/dummyspichip: Use module_spi_driver toregister driver"
Previous message: Andi Kleen: "Re: [PATCH v3 net-next 3/4] ixgbe: Add support for ndo_ll_poll"
Next in thread: Toralf FÃrster: "Re: fuzz testing lets kernel audit complains in the linkat syscallonly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]