Wind River Support Network

Description

A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem

 

========Wind River Notice========

Current upstream still no fix, we provide a workaround solution:

 

Using audit to force open_by_handle_at syscall can be recorded in system log.

 

1. add the following configurations to /etc/audit/rules.d/audit.rules

 

-a always,exit -F arch=b64 -S open_by_handle_at -k open_by_handle_monitor
-a always,exit -F arch=b64 -S open_by_handle_at -F success=0 -k open_by_handle_fail 
 

 

2. reload the audit by "augenrules --load"

3. double check if the rule accepted by auditd: auditctl -l | grep open_by_handle_at

4. Using the following test code to verify the audit log:

#include 
#include 
#include 
#include 
int main() {
    struct file_handle *fh = NULL;  // Just testing with invalid parameter
    int fd = open_by_handle_at(AT_FDCWD, fh, O_RDONLY);
    if (fd < 0) {
        perror("open_by_handle_at failed");
    } else {
        printf("open_by_handle_at succeeded, fd=%d\n", fd);
        close(fd);
    }
    return 0;
} 
5. Expect result:

Running the test code, and check the audit log with ausearch:

ausearch -k open_by_handle_monitor, the result should like this:

----
time->Mon Sep 15 09:53:41 2025
type=PROCTITLE msg=audit(1757930021.239:50): proctitle=2F7362696E2F617564697463746C002D52002F6574632F61756469742F61756469742E72756C6573
type=SYSCALL msg=audit(1757930021.239:50): arch=c000003e syscall=44 success=yes exit=1080 a0=3 a1=7ffd4b9d1200 a2=438 a3=0 items=0 ppid=625 pid=643 auid=4294)
type=CONFIG_CHANGE msg=audit(1757930021.239:50): auid=4294967295 ses=4294967295 op=add_rule key="open_by_handle_monitor" list=4 res=1
----
time->Mon Sep 15 09:54:05 2025
type=PROCTITLE msg=audit(1757930045.396:52): proctitle="./op"
type=SYSCALL msg=audit(1757930045.396:52): arch=c000003e syscall=304 success=no exit=-14 a0=ffffff9c a1=0 a2=0 a3=0 items=0 ppid=511 pid=653 auid=4294967295 "