syscall_in_syscall will return true if we're in a real syscall and will return false if we're not in a syscall. If we're in a bad syscall, the return value can vary.
The idea is to use this to come up with a much simpler replacement for syscall auditing. Signed-off-by: Andy Lutomirski <l...@amacapital.net> --- arch/x86/Kconfig | 1 + arch/x86/include/asm/syscall.h | 21 +++++++++++++++++++++ init/Kconfig | 3 +++ 3 files changed, 25 insertions(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 25d2c6f..e2602d4 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -130,6 +130,7 @@ config X86 select HAVE_CC_STACKPROTECTOR select GENERIC_CPU_AUTOPROBE select HAVE_ARCH_AUDITSYSCALL + select HAVE_SYSCALL_IN_SYSCALL config INSTRUCTION_DECODER def_bool y diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h index d6a756a..91e38b3 100644 --- a/arch/x86/include/asm/syscall.h +++ b/arch/x86/include/asm/syscall.h @@ -23,6 +23,27 @@ typedef void (*sys_call_ptr_t)(void); extern const sys_call_ptr_t sys_call_table[]; +/** + * syscall_in_syscall() - are we in a syscall context? + * @task: The task to query. + * @regs: The task's pt_regs. + * + * This checks whether we are in a syscall. If it returns true, then + * syscall_get_nr(), etc are usable and the current task is guaranteed + * to either die or to go through the syscall exit path when the syscall + * is done. + * + * If it returns false, no particular guarantees are made. In + * particular, a malicious task can issue a syscall that causes + * syscall_in_syscall to return false. Such a syscall won't do much, + * but it can still cause tracing code and such to run. + */ +static inline bool syscall_in_syscall(struct task_struct *task, + struct pt_regs *regs) +{ + return regs->orig_ax != -1; +} + /* * Only the low 32 bits of orig_ax are meaningful, so we return int. * This importantly ignores the high bits on 64-bit, so comparisons diff --git a/init/Kconfig b/init/Kconfig index 9d3585b..bad2053 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -295,6 +295,9 @@ config AUDIT config HAVE_ARCH_AUDITSYSCALL bool +config HAVE_SYSCALL_IN_SYSCALL + bool + config AUDITSYSCALL bool "Enable system-call auditing support" depends on AUDIT && HAVE_ARCH_AUDITSYSCALL -- 1.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/