[Bug 228374] auditpipe(4) does not emit lgeth(2) and chflagsat(2)

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228374

            Bug ID: 228374
           Summary: auditpipe(4) does not emit lgeth(2) and chflagsat(2)
           Product: Base System
           Version: CURRENT
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: tests
          Assignee: testing at freebsd.org
          Reporter: aniketp at iitk.ac.in

Overview
--------------
While creating a test-suite for audit framework. I noticed that two system
calls, 

* lgetfh(2) : Get file handle of a symbolic link
* chflagsat(2): Change file-flags' variant

do not get audited even if the system wide audit mask is set according to each
system call, i.e "fm" for chflagsat(2) and "fa" for lgetfh(2)

Steps to reproduce (For lgetfh(2), can be done similarly for chflagsat(2))
----------------------------
1) Set "flag:fa" in "/etc/security/audit_control"
2) Enter "praudit /dev/auditpipe | grep "lgetfh" " in a separate window, this
will wait for any event to occur.
3) Compile and execute this code snippet: https://pastebin.com/EwstzSUz

Expected Result
------------------------
You'll not notice anything in the praudit window, signifying that the lgetfh(2)
audit event was not emitted by the auditpipe(4).

Additional Information
---------------------------------
1) To confirm that lgetfh(2) was actually triggered, run before executing the
code.
"sudo dtrace -i syscall:freebsd:lgetfh:entry"

This will match an lgetfh(2) probe.

2) The system call "getfh" is audited as "nfs_getfh" which has a different
audit class altogether.

-- 
You are receiving this mail because:
You are the assignee for the bug.