Skip to content

Add link and linkat syscalls to normalizations#177

Merged
andrewkroh merged 4 commits intoelastic:mainfrom
rafiyr:main
Mar 17, 2025
Merged

Add link and linkat syscalls to normalizations#177
andrewkroh merged 4 commits intoelastic:mainfrom
rafiyr:main

Conversation

@rafiyr
Copy link
Contributor

@rafiyr rafiyr commented Mar 14, 2025

These are the syscalls used for creating hard links.

@rafiyr
Add link and linkat syscalls to normalizations
b7a4544 
These are the syscalls used for creating hard links.
@rafiyr
Copy link
Contributor Author

rafiyr commented Mar 14, 2025

To test: ln file.src file.dest will generate linkat events. For link:

#include <unistd.h>
int main(int argc, char * argv[]) {
  return link(argv[1], argv[2]);
}

@andrewkroh
Copy link
Member

andrewkroh commented Mar 14, 2025

/test

andrewkroh
andrewkroh approved these changes Mar 14, 2025
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I ran the provided program to generate a log sample, and have include that log in the test data for the aucoalesce package.

@andrewkroh andrewkroh requested a review from a team March 14, 2025 20:28
@andrewkroh andrewkroh added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Mar 14, 2025
@elasticmachine
Copy link
Collaborator

elasticmachine commented Mar 14, 2025

💚 Build Succeeded

@andrewkroh andrewkroh merged commit 28d994d into elastic:main Mar 17, 2025
3 checks passed
@rafiyr
Copy link
Contributor Author

rafiyr commented Mar 17, 2025

@andrewkroh Those test results do not look quite right, that C program only tests one of the two syscalls and my suggestion was to use "ln" for the other. Also the resulting audit record looks like a failure, not the link calls.

I wrote a couple more explicit test programs. One with normal calls and a version that explicitly makes the syscalls:

#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>

int main(int argc, const char *argv[])
{
        if (linkat(AT_FDCWD, argv[1], AT_FDCWD, argv[2], 0)) {
                printf("%s failed with error %d, %s\n", "linkat", errno,
                       strerror(errno));
                return 1;
        }
        if (unlinkat(AT_FDCWD, argv[2], 0)) {
                printf("%s failed with error %d, %s\n", "unlinkat", errno,
                       strerror(errno));
                return 1;
        }
        if (link(argv[1], argv[2])) {
                printf("%s failed with error %d, %s\n", "link", errno,
                       strerror(errno));
                return 1;
        }
        if (unlinkat(AT_FDCWD, argv[2], 0)) {
                printf("%s failed with error %d, %s\n", "unlinkat", errno,
                       strerror(errno));
                return 1;
        }
        return 0;
}

Result:

type=SYSCALL msg=audit(1742228632.799:221): arch=c000003e syscall=265 success=yes exit=0 a0=ffffff9c a1=7ffd10653791 a2=ffffff9c a3=7ffd10653793 items=3 ppid=3609784 pid=3609895 auid=36847 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts6 ses=2 comm="link_test" exe="/tmp/test/link_test" subj=unconfined key=(null)ARCH=x86_64 SYSCALL=linkat AUID="rafi" UID="tester" GID="tester" EUID="tester" SUID="tester" FSUID="tester" EGID="tester" SGID="tester" FSGID="tester"
type=CWD msg=audit(1742228632.799:221): cwd="/tmp/test"
type=PATH msg=audit(1742228632.799:221): item=0 name="/tmp/test" inode=131242 dev=00:28 mode=040775 ouid=1004 ogid=1004 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PATH msg=audit(1742228632.799:221): item=1 name="a" inode=131245 dev=00:28 mode=0100664 ouid=1004 ogid=1004 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PATH msg=audit(1742228632.799:221): item=2 name="b" inode=131245 dev=00:28 mode=0100664 ouid=1004 ogid=1004 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PROCTITLE msg=audit(1742228632.799:221): proctitle=2E2F6C696E6B5F7465737400610062
type=SYSCALL msg=audit(1742228632.799:222): arch=c000003e syscall=86 success=yes exit=0 a0=7ffd10653791 a1=7ffd10653793 a2=7ffd10653793 a3=3 items=3 ppid=3609784 pid=3609895 auid=36847 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts6 ses=2 comm="link_test" exe="/tmp/test/link_test" subj=unconfined key=(null)ARCH=x86_64 SYSCALL=link AUID="rafi" UID="tester" GID="tester" EUID="tester" SUID="tester" FSUID="tester" EGID="tester" SGID="tester" FSGID="tester"
type=CWD msg=audit(1742228632.799:222): cwd="/tmp/test"
type=PATH msg=audit(1742228632.799:222): item=0 name="/tmp/test" inode=131242 dev=00:28 mode=040775 ouid=1004 ogid=1004 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PATH msg=audit(1742228632.799:222): item=1 name="a" inode=131245 dev=00:28 mode=0100664 ouid=1004 ogid=1004 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PATH msg=audit(1742228632.799:222): item=2 name="b" inode=131245 dev=00:28 mode=0100664 ouid=1004 ogid=1004 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PROCTITLE msg=audit(1742228632.799:222): proctitle=2E2F6C696E6B5F7465737400610062

syscall version:

#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <sys/syscall.h>

int main(int argc, const char *argv[])
{
        if (syscall(SYS_linkat, AT_FDCWD, argv[1], AT_FDCWD, argv[2], 0)) {
                printf("%s failed with error %d, %s\n", "linkat", errno,
                       strerror(errno));
                return 1;
        }
        if (unlinkat(AT_FDCWD, argv[2], 0)) {
                printf("%s failed with error %d, %s\n", "unlinkat", errno,
                       strerror(errno));
                return 1;
        }
        if (syscall(SYS_link, argv[1], argv[2])) {
                printf("%s failed with error %d, %s\n", "link", errno,
                       strerror(errno));
                return 1;
        }
        if (unlinkat(AT_FDCWD, argv[2], 0)) {
                printf("%s failed with error %d, %s\n", "unlinkat", errno,
                       strerror(errno));
                return 1;
        }
        return 0;
}

Results:

type=SYSCALL msg=audit(1742228599.562:218): arch=c000003e syscall=265 success=yes exit=0 a0=ffffff9c a1=7fff00fd3789 a2=ffffff9c a3=7fff00fd378b items=3 ppid=3609784 pid=3609848 auid=36847 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts6 ses=2 comm="sys_link_test" exe="/tmp/test/sys_link_test" subj=unconfined key=(null)ARCH=x86_64 SYSCALL=linkat AUID="rafi" UID="tester" GID="tester" EUID="tester" SUID="tester" FSUID="tester" EGID="tester" SGID="tester" FSGID="tester"
type=CWD msg=audit(1742228599.562:218): cwd="/tmp/test"
type=PATH msg=audit(1742228599.562:218): item=0 name="/tmp/test" inode=131242 dev=00:28 mode=040775 ouid=1004 ogid=1004 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PATH msg=audit(1742228599.562:218): item=1 name="a" inode=131245 dev=00:28 mode=0100664 ouid=1004 ogid=1004 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PATH msg=audit(1742228599.562:218): item=2 name="b" inode=131245 dev=00:28 mode=0100664 ouid=1004 ogid=1004 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PROCTITLE msg=audit(1742228599.562:218): proctitle=2E2F7379735F6C696E6B5F7465737400610062
type=SYSCALL msg=audit(1742228599.562:219): arch=c000003e syscall=86 success=yes exit=0 a0=7fff00fd3789 a1=7fff00fd378b a2=7f1af3e16e67 a3=0 items=3 ppid=3609784 pid=3609848 auid=36847 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts6 ses=2 comm="sys_link_test" exe="/tmp/test/sys_link_test" subj=unconfined key=(null)ARCH=x86_64 SYSCALL=link AUID="rafi" UID="tester" GID="tester" EUID="tester" SUID="tester" FSUID="tester" EGID="tester" SGID="tester" FSGID="tester"
type=CWD msg=audit(1742228599.562:219): cwd="/tmp/test"
type=PATH msg=audit(1742228599.562:219): item=0 name="/tmp/test" inode=131242 dev=00:28 mode=040775 ouid=1004 ogid=1004 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PATH msg=audit(1742228599.562:219): item=1 name="a" inode=131245 dev=00:28 mode=0100664 ouid=1004 ogid=1004 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PATH msg=audit(1742228599.562:219): item=2 name="b" inode=131245 dev=00:28 mode=0100664 ouid=1004 ogid=1004 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="tester" OGID="tester"
type=PROCTITLE msg=audit(1742228599.562:219): proctitle=2E2F7379735F6C696E6B5F7465737400610062

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

@nicholasberlin nicholasberlin nicholasberlin approved these changes

Assignees

No one assigned

Labels

enhancement Team:Security-Linux Platform Linux Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rafiyr @andrewkroh @elasticmachine @nicholasberlin