OpenSolaris

Printable Version Enter a New Search
Bug ID 6743863
Synopsis *c2audit* panics system when flushing non-existent policy
State 10-Fix Delivered (Fix available in build)
Category:Subcategory audit:kernel
Keywords gse-sec-team | immutable-service-containers | punchin
Responsible Engineer Paul Wernau
Reported Against snv_95
Duplicate Of
Introduced In solaris_nevada
Commit to Fix snv_99
Fixed In snv_99
Release Fixed solaris_nevada(snv_99) , solaris_10u7(s10u7_02) (Bug ID:2168260)
Related Bugs 6528002
Submit Date 2-September-2008
Last Update Date 13-May-2009
Description 
After enabling Solaris auditing on Solaris Nevada build 95 (Ultra 24 - Intel), I am not longer able to use "punchin" to establish a VPN connection into Sun.  Upon attempting to use "punchin" the system panics:

Sep  2 12:46:10 gateway ^Mpanic[cpu2]/thread=ffffff000b6d1c80: 
Sep  2 12:46:10 gateway genunix: [ID 335743 kern.notice] BAD TRAP: type=e (#pf Page fault) rp=ffffff000b6d1770 addr=548 occurred in module "unix" due to a NU
LL pointer dereference
Sep  2 12:46:10 gateway unix: [ID 100000 kern.notice] 
Sep  2 12:46:10 gateway unix: [ID 839527 kern.notice] sched: 
Sep  2 12:46:10 gateway unix: [ID 753105 kern.notice] #pf Page fault
Sep  2 12:46:10 gateway unix: [ID 532287 kern.notice] Bad kernel fault at addr=0x548
Sep  2 12:46:10 gateway unix: [ID 243837 kern.notice] pid=0, pc=0xfffffffffb8441fc, sp=0xffffff000b6d1860, eflags=0x10286
Sep  2 12:46:10 gateway unix: [ID 211416 kern.notice] cr0: 8005003b<pg,wp,ne,et,ts,mp,pe> cr4: 6f8<xmme,fxsr,pge,mce,pae,pse,de>
Sep  2 12:46:10 gateway unix: [ID 624947 kern.notice] cr2: 548
Sep  2 12:46:10 gateway unix: [ID 625075 kern.notice] cr3: 3400000
Sep  2 12:46:10 gateway unix: [ID 625715 kern.notice] cr8: c
Sep  2 12:46:10 gateway unix: [ID 100000 kern.notice] 
Sep  2 12:46:10 gateway unix: [ID 592667 kern.notice] 	rdi:                0 rsi:                0 rdx:                0
Sep  2 12:46:10 gateway unix: [ID 592667 kern.notice] 	rcx:                0  r8:                2  r9: ffffff0263093de0
Sep  2 12:46:10 gateway unix: [ID 592667 kern.notice] 	rax: ffffff000b6d1c80 rbx:                0 rbp: ffffff000b6d1870
Sep  2 12:46:10 gateway unix: [ID 592667 kern.notice] 	r10: ffffff02633f13a0 r11:         ffffffff r12: ffffff000b6d1908
Sep  2 12:46:10 gateway unix: [ID 592667 kern.notice] 	r13:                0 r14:                0 r15:                0
Sep  2 12:46:10 gateway unix: [ID 592667 kern.notice] 	fsb:                0 gsb: ffffff024dc97580  ds:               4b
Sep  2 12:46:10 gateway unix: [ID 592667 kern.notice] 	 es:               4b  fs:                0  gs:              1c3
Sep  2 12:46:10 gateway unix: [ID 592667 kern.notice] 	trp:                e err:                0 rip: fffffffffb8441fc
Sep  2 12:46:10 gateway unix: [ID 592667 kern.notice] 	 cs:               30 rfl:            10286 rsp: ffffff000b6d1860
Sep  2 12:46:10 gateway unix: [ID 266532 kern.notice] 	 ss:               38
Sep  2 12:46:10 gateway unix: [ID 100000 kern.notice] 
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1650 unix:die+c8 ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1760 unix:trap+13b9 ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1770 unix:cmntrap+e9 ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1870 unix:lwp_getdatamodel+c ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d18c0 c2audit:add_return_token+3f ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d19c0 c2audit:audit_pf_policy+389 ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1a30 spdsock:spdsock_flush+105 ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1af0 spdsock:spdsock_parse+2ba ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1b20 spdsock:spdsock_loadcheck+46 ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1b80 genunix:qcallbwrapper+342 ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1bd0 genunix:callout_execute+bf ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1c60 genunix:taskq_thread+1a7 ()
Sep  2 12:46:10 gateway genunix: [ID 655072 kern.notice] ffffff000b6d1c70 unix:thread_start+8 ()
Sep  2 12:46:10 gateway unix: [ID 100000 kern.notice] 
Sep  2 12:46:10 gateway genunix: [ID 672855 kern.notice] syncing file systems...
Sep  2 12:46:10 gateway genunix: [ID 733762 kern.notice]  6
Sep  2 12:46:11 gateway genunix: [ID 733762 kern.notice]  4
Sep  2 12:46:12 gateway genunix: [ID 904073 kern.notice]  done
Sep  2 12:46:13 gateway genunix: [ID 111219 kern.notice] dumping to /dev/dsk/c1d0s1, offset 2097479680, content: kernel
Sep  2 12:46:20 gateway genunix: [ID 409368 kern.notice] ^M100% done: 148022 pages dumped, compression ratio 4.63, 
Sep  2 12:46:20 gateway genunix: [ID 851671 kern.notice] dump succeeded

I have attached a few key files to this CR.  Let me know if you need any other files, output, etc.
Work Around 
## 08/09/02 gww ##
Don't preselect for the "as" audit class
or remap
295:AUE_PF_POLICY_ADDRULE:Add IPsec policy rule:as
296:AUE_PF_POLICY_DELRULE:Delete IPsec policy rule:as
297:AUE_PF_POLICY_CLONE:Clone IPsec policy:as
298:AUE_PF_POLICY_FLIP:Flip IPsec policy:as
299:AUE_PF_POLICY_FLUSH:Flush IPsec policy rules:as
300:AUE_PF_POLICY_ALGS:Update IPsec algorithms:as

to something not preselected.

Gary..
If you look at my attached files, you will see that I had selected:

   flags: lo,ad,ex

in audit_control, and:

   root:lo:no

in audit_user.  That's it.  So, in terms of workarounds, do you need to be sure the administrative meta-classes are also
not selected (ad and perhaps am)?  Is this accurate or will remapping the events currently in "as" to something else cause
them to get automagically excluded by "ad"?
A simple workaround is this:

echo "{raddr 1.1.1.1 dir both} bypass {}" > /etc/inet/ipsecinit.conf
reboot

Now you have policy on boot.

Alternatively, before using punchin or running ipsecconf -f, run this:

echo "{raddr 1.1.1.1 dir both} bypass {}" | ipsecconf -a -

which will load a policy.
## 08/09/03 gww ##
Yes I looked at the attached files.  That's why I asked for them.
"ad" is a meta class that includes "as", feel free to choose
the individual classes except for "as".

VIZ.ss,ua,aa

OR the alternative is to remap for example to "no"

VIZ.
295:AUE_PF_POLICY_ADDRULE:Add IPsec policy rule:no
296:AUE_PF_POLICY_DELRULE:Delete IPsec policy rule:no
297:AUE_PF_POLICY_CLONE:Clone IPsec policy:no
298:AUE_PF_POLICY_FLIP:Flip IPsec policy:no
299:AUE_PF_POLICY_FLUSH:Flush IPsec policy rules:no
300:AUE_PF_POLICY_ALGS:Update IPsec algorithms:no

And then reload the kernel event to class mappings.
VIZ.
sync;sync;reboot

Gary..
Gary, the workaround I posted before your update (having an ipsec policy that does nothing) is actually much better because it retains the auditing of the as class.
Comments 
N/A