Re: [RFC PATCH 2/2] fs/xattr: wire up syscalls
yscall.tbl > +++ b/arch/xtensa/kernel/syscalls/syscall.tbl > @@ -421,3 +421,7 @@ > 448 common process_mreleasesys_process_mrelease > 449 common futex_waitv sys_futex_waitv > 450 common set_mempolicy_home_node sys_set_mempolicy_home_node > +451 common setxattrat sys_setxattrat > +452 common getxattrat sys_getxattrat > +453 common listxattrat sys_listxattrat > +454 common removexattrat sys_removexattrat > diff --git a/include/asm-generic/audit_change_attr.h > b/include/asm-generic/audit_change_attr.h > index 331670807cf0..cc840537885f 100644 > --- a/include/asm-generic/audit_change_attr.h > +++ b/include/asm-generic/audit_change_attr.h > @@ -11,9 +11,15 @@ __NR_lchown, > __NR_fchown, > #endif > __NR_setxattr, > +#ifdef __NR_setxattrat > +__NR_setxattrat, > +#endif > __NR_lsetxattr, > __NR_fsetxattr, > __NR_removexattr, > +#ifdef __NR_removexattrat > +__NR_removexattrat, > +#endif > __NR_lremovexattr, > __NR_fremovexattr, > #ifdef __NR_fchownat > diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h > index a34b0f9a9972..090b9b5229a0 100644 > --- a/include/linux/syscalls.h > +++ b/include/linux/syscalls.h > @@ -348,23 +348,31 @@ asmlinkage long sys_io_uring_register(unsigned int fd, > unsigned int op, > /* fs/xattr.c */ > asmlinkage long sys_setxattr(const char __user *path, const char __user > *name, >const void __user *value, size_t size, int flags); > +asmlinkage long sys_setxattrat(int dfd, const char __user *path, const char > __user *name, > + const void __user *value, size_t size, int flags); > asmlinkage long sys_lsetxattr(const char __user *path, const char __user > *name, > const void __user *value, size_t size, int flags); > asmlinkage long sys_fsetxattr(int fd, const char __user *name, > const void __user *value, size_t size, int flags); > asmlinkage long sys_getxattr(const char __user *path, const char __user > *name, >void __user *value, size_t size); > +asmlinkage long sys_getxattrat(int dfd, const char __user *path, const char > __user *name, > + void __user *value, size_t size, int flags); > asmlinkage long sys_lgetxattr(const char __user *path, const char __user > *name, > void __user *value, size_t size); > asmlinkage long sys_fgetxattr(int fd, const char __user *name, > void __user *value, size_t size); > asmlinkage long sys_listxattr(const char __user *path, char __user *list, > size_t size); > +asmlinkage long sys_listxattrat(int dfd, const char __user *path, char > __user *list, > + size_t size, int flags); > asmlinkage long sys_llistxattr(const char __user *path, char __user *list, > size_t size); > asmlinkage long sys_flistxattr(int fd, char __user *list, size_t size); > asmlinkage long sys_removexattr(const char __user *path, > const char __user *name); > +asmlinkage long sys_removexattrat(int dfd, const char __user *path, > + const char __user *name, int flags); > asmlinkage long sys_lremovexattr(const char __user *path, > const char __user *name); > asmlinkage long sys_fremovexattr(int fd, const char __user *name); > diff --git a/include/uapi/asm-generic/unistd.h > b/include/uapi/asm-generic/unistd.h > index 45fa180cc56a..4fcc71612b7a 100644 > --- a/include/uapi/asm-generic/unistd.h > +++ b/include/uapi/asm-generic/unistd.h > @@ -886,8 +886,18 @@ __SYSCALL(__NR_futex_waitv, sys_futex_waitv) > #define __NR_set_mempolicy_home_node 450 > __SYSCALL(__NR_set_mempolicy_home_node, sys_set_mempolicy_home_node) > > +/* fs/xattr.c */ > +#define __NR_setxattrat 451 > +__SYSCALL(__NR_setxattrat, sys_setxattrat) > +#define __NR_getxattrat 452 > +__SYSCALL(__NR_getxattrat, sys_getxattrat) > +#define __NR_listxattrat 453 > +__SYSCALL(__NR_listxattrat, sys_listxattrat) > +#define __NR_removexattrat 454 > +__SYSCALL(__NR_removexattrat, sys_removexattrat) > + > #undef __NR_syscalls > -#define __NR_syscalls 451 > +#define __NR_syscalls 455 > > /* > * 32 bit systems traditionally used different > -- > 2.37.2 > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
[PATCH v4 2/3] audit: add support for the openat2 syscall
The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 ("open: introduce openat2(2) syscall") Add the openat2(2) syscall to the audit syscall classifier. Link: https://github.com/linux-audit/audit-kernel/issues/67 Signed-off-by: Richard Guy Briggs Link: https://lore.kernel.org/r/f5f1a4d8699613f8c02ce762807228c841c2e26f.1621363275.git@redhat.com --- arch/alpha/kernel/audit.c | 2 ++ arch/ia64/kernel/audit.c| 2 ++ arch/parisc/kernel/audit.c | 2 ++ arch/parisc/kernel/compat_audit.c | 2 ++ arch/powerpc/kernel/audit.c | 2 ++ arch/powerpc/kernel/compat_audit.c | 2 ++ arch/s390/kernel/audit.c| 2 ++ arch/s390/kernel/compat_audit.c | 2 ++ arch/sparc/kernel/audit.c | 2 ++ arch/sparc/kernel/compat_audit.c| 2 ++ arch/x86/ia32/audit.c | 2 ++ arch/x86/kernel/audit_64.c | 2 ++ include/linux/auditsc_classmacros.h | 1 + kernel/auditsc.c| 3 +++ lib/audit.c | 4 lib/compat_audit.c | 4 16 files changed, 36 insertions(+) diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 81cbd804e375..3ab04709784a 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index dba6a74c9ab3..ec61f20ca61f 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 14244e83db75..f420b5552140 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 1d6347d37d92..3ec490c28656 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index 6eb18ef77dff..1bcfca5fdf67 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index b1dc2d1c4bad..251abf79d536 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index 7e331e1831d4..02051a596b87 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index fc3d1c7ad21c..4b3d463e7d97 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDIT
[PATCH v4 0/3] audit: add support for openat2
The openat2(2) syscall was added in v5.6. Add support for openat2 to the audit syscall classifier and for recording openat2 parameters that cannot be captured in the syscall parameters of the SYSCALL record. Supporting userspace code can be found in https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 Supporting test case can be found in https://github.com/linux-audit/audit-testsuite/pull/103 Changelog: v4: - change filename include/linux/auditscm.h to auditsc_classmacros.h to avoid socket association v3: - re-add commit descriptions that somehow got dropped - add new file to MAINTAINERS v2: - add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings: arch/x86/ia32/audit.c:3: ./include/linux/audit.h:12, ./include/linux/sched.h:22, ./include/linux/seccomp.h:21, ./arch/x86/include/asm/seccomp.h:5, ./arch/x86/include/asm/unistd.h:20, ./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0 ... ./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334 previous: arch/x86/ia32/audit.c:2: ./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3 ... ./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386 Richard Guy Briggs (3): audit: replace magic audit syscall class numbers with macros audit: add support for the openat2 syscall audit: add OPENAT2 record to list how MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 10 ++ arch/ia64/kernel/audit.c| 10 ++ arch/parisc/kernel/audit.c | 10 ++ arch/parisc/kernel/compat_audit.c | 11 ++ arch/powerpc/kernel/audit.c | 12 ++- arch/powerpc/kernel/compat_audit.c | 13 +++- arch/s390/kernel/audit.c| 12 ++- arch/s390/kernel/compat_audit.c | 13 +++- arch/sparc/kernel/audit.c | 12 ++- arch/sparc/kernel/compat_audit.c| 13 +++- arch/x86/ia32/audit.c | 13 +++- arch/x86/kernel/audit_64.c | 10 ++ fs/open.c | 2 ++ include/linux/audit.h | 11 ++ include/linux/auditsc_classmacros.h | 24 ++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c| 31 +++-- lib/audit.c | 14 - lib/compat_audit.c | 15 +- 21 files changed, 169 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h -- 2.27.0
[PATCH v4 1/3] audit: replace magic audit syscall class numbers with macros
Replace audit syscall class magic numbers with macros. This required putting the macros into new header file include/linux/auditsc_classmacros.h since the syscall macros were included for both 64 bit and 32 bit in any compat code, causing redefinition warnings. Signed-off-by: Richard Guy Briggs Link: https://lore.kernel.org/r/2300b1083a32aade7ae7efb95826e8f3f260b1df.1621363275.git@redhat.com --- MAINTAINERS | 1 + arch/alpha/kernel/audit.c | 8 arch/ia64/kernel/audit.c| 8 arch/parisc/kernel/audit.c | 8 arch/parisc/kernel/compat_audit.c | 9 + arch/powerpc/kernel/audit.c | 10 +- arch/powerpc/kernel/compat_audit.c | 11 ++- arch/s390/kernel/audit.c| 10 +- arch/s390/kernel/compat_audit.c | 11 ++- arch/sparc/kernel/audit.c | 10 +- arch/sparc/kernel/compat_audit.c| 11 ++- arch/x86/ia32/audit.c | 11 ++- arch/x86/kernel/audit_64.c | 8 include/linux/audit.h | 1 + include/linux/auditsc_classmacros.h | 23 +++ kernel/auditsc.c| 12 ++-- lib/audit.c | 10 +- lib/compat_audit.c | 11 ++- 18 files changed, 102 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditsc_classmacros.h diff --git a/MAINTAINERS b/MAINTAINERS index bd7aff0c120f..3348d12019f9 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -3036,6 +3036,7 @@ W:https://github.com/linux-audit T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git F: include/asm-generic/audit_*.h F: include/linux/audit.h +F: include/linux/auditsc_classmacros.h F: include/uapi/linux/audit.h F: kernel/audit* F: lib/*audit.c diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 96a9d18ff4c4..81cbd804e375 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 5192ca899fe6..dba6a74c9ab3 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 9eb47b2225d2..14244e83db75 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 20c39c9d86a9..1d6347d37d92 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include #include unsigned int parisc32_dir_class[] = { @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index a27f3d09..6eb18ef77dff 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN
Re: [PATCH v3 1/3] audit: replace magic audit syscall class numbers with macros
On 2021-05-10 21:23, Paul Moore wrote: > On Fri, Apr 30, 2021 at 4:36 PM Richard Guy Briggs wrote: > > > > Replace audit syscall class magic numbers with macros. > > > > This required putting the macros into new header file > > include/linux/auditscm.h since the syscall macros were included for both 64 > > bit and 32 bit in any compat code, causing redefinition warnings. > > The ifndef/define didn't protect against redeclaration? Huh. Maybe > I'm not thinking about this correctly, or the arch specific code is > doing something wonky ... I had a chat with Arnd about it in IRC upstream and started digging deeper and it got quite messy. As seen from the cover letter, audit.h pulled in a chain of things which weren't entirely unreasonable given it was compiling compat support in with native support by default. I suppose I could have defined _ASM_X86_UNISTD_64_H to prevent it from being added, but that would be ugly on a generated file, have caused a failure elsewhere and would need to be done for each compat file. I thought of defining CONFIG_X86_32 in arch/x86/ia32/audit.c but that would cause other problems. This was the cleanest solution. Otherwise I leave them as magic numbers like in V1. > Regardless, assuming that it is necessary, I would prefer if we called > it auditsc.h instead of auditscm.h; the latter makes me think of > sockets and not syscalls. > > > Signed-off-by: Richard Guy Briggs > > --- > > MAINTAINERS| 1 + > > arch/alpha/kernel/audit.c | 8 > > arch/ia64/kernel/audit.c | 8 > > arch/parisc/kernel/audit.c | 8 > > arch/parisc/kernel/compat_audit.c | 9 + > > arch/powerpc/kernel/audit.c| 10 +- > > arch/powerpc/kernel/compat_audit.c | 11 ++- > > arch/s390/kernel/audit.c | 10 +- > > arch/s390/kernel/compat_audit.c| 11 ++- > > arch/sparc/kernel/audit.c | 10 +- > > arch/sparc/kernel/compat_audit.c | 11 ++- > > arch/x86/ia32/audit.c | 11 ++- > > arch/x86/kernel/audit_64.c | 8 > > include/linux/audit.h | 1 + > > include/linux/auditscm.h | 23 +++ > > kernel/auditsc.c | 12 ++-- > > lib/audit.c| 10 +- > > lib/compat_audit.c | 11 ++- > > 18 files changed, 102 insertions(+), 71 deletions(-) > > create mode 100644 include/linux/auditscm.h > > ... > > > diff --git a/include/linux/auditscm.h b/include/linux/auditscm.h > > new file mode 100644 > > index ..1c4f0ead5931 > > --- /dev/null > > +++ b/include/linux/auditscm.h > > @@ -0,0 +1,23 @@ > > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > > +/* auditscm.h -- Auditing support syscall macros > > + * > > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > > + * All Rights Reserved. > > + * > > + * Author: Richard Guy Briggs > > + */ > > +#ifndef _LINUX_AUDITSCM_H_ > > +#define _LINUX_AUDITSCM_H_ > > + > > +enum auditsc_class_t { > > + AUDITSC_NATIVE = 0, > > + AUDITSC_COMPAT, > > + AUDITSC_OPEN, > > + AUDITSC_OPENAT, > > + AUDITSC_SOCKETCALL, > > + AUDITSC_EXECVE, > > + > > + AUDITSC_NVALS /* count */ > > +}; > > + > > +#endif > > -- > paul moore > www.paul-moore.com > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
Re: [PATCH v3 1/3] audit: replace magic audit syscall class numbers with macros
On 2021-05-10 21:23, Paul Moore wrote: > On Fri, Apr 30, 2021 at 4:36 PM Richard Guy Briggs wrote: > > > > Replace audit syscall class magic numbers with macros. > > > > This required putting the macros into new header file > > include/linux/auditscm.h since the syscall macros were included for both 64 > > bit and 32 bit in any compat code, causing redefinition warnings. > > The ifndef/define didn't protect against redeclaration? Huh. Maybe > I'm not thinking about this correctly, or the arch specific code is > doing something wonky ... > > Regardless, assuming that it is necessary, I would prefer if we called > it auditsc.h instead of auditscm.h; the latter makes me think of > sockets and not syscalls. The "m" was for "macros", since there are auditsc bits in audit.h as well, but I have no significant objection. > > Signed-off-by: Richard Guy Briggs > > --- > > MAINTAINERS| 1 + > > arch/alpha/kernel/audit.c | 8 > > arch/ia64/kernel/audit.c | 8 > > arch/parisc/kernel/audit.c | 8 > > arch/parisc/kernel/compat_audit.c | 9 + > > arch/powerpc/kernel/audit.c| 10 +- > > arch/powerpc/kernel/compat_audit.c | 11 ++- > > arch/s390/kernel/audit.c | 10 +- > > arch/s390/kernel/compat_audit.c| 11 ++- > > arch/sparc/kernel/audit.c | 10 +- > > arch/sparc/kernel/compat_audit.c | 11 ++- > > arch/x86/ia32/audit.c | 11 ++- > > arch/x86/kernel/audit_64.c | 8 > > include/linux/audit.h | 1 + > > include/linux/auditscm.h | 23 +++ > > kernel/auditsc.c | 12 ++-- > > lib/audit.c| 10 +- > > lib/compat_audit.c | 11 ++- > > 18 files changed, 102 insertions(+), 71 deletions(-) > > create mode 100644 include/linux/auditscm.h > > ... > > > diff --git a/include/linux/auditscm.h b/include/linux/auditscm.h > > new file mode 100644 > > index ..1c4f0ead5931 > > --- /dev/null > > +++ b/include/linux/auditscm.h > > @@ -0,0 +1,23 @@ > > +/* SPDX-License-Identifier: GPL-2.0-or-later */ > > +/* auditscm.h -- Auditing support syscall macros > > + * > > + * Copyright 2021 Red Hat Inc., Durham, North Carolina. > > + * All Rights Reserved. > > + * > > + * Author: Richard Guy Briggs > > + */ > > +#ifndef _LINUX_AUDITSCM_H_ > > +#define _LINUX_AUDITSCM_H_ > > + > > +enum auditsc_class_t { > > + AUDITSC_NATIVE = 0, > > + AUDITSC_COMPAT, > > + AUDITSC_OPEN, > > + AUDITSC_OPENAT, > > + AUDITSC_SOCKETCALL, > > + AUDITSC_EXECVE, > > + > > + AUDITSC_NVALS /* count */ > > +}; > > + > > +#endif > > -- > paul moore > www.paul-moore.com > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
[PATCH v3 2/3] audit: add support for the openat2 syscall
The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 ("open: introduce openat2(2) syscall") Add the openat2(2) syscall to the audit syscall classifier. See the github issue https://github.com/linux-audit/audit-kernel/issues/67 Signed-off-by: Richard Guy Briggs --- arch/alpha/kernel/audit.c | 2 ++ arch/ia64/kernel/audit.c | 2 ++ arch/parisc/kernel/audit.c | 2 ++ arch/parisc/kernel/compat_audit.c | 2 ++ arch/powerpc/kernel/audit.c| 2 ++ arch/powerpc/kernel/compat_audit.c | 2 ++ arch/s390/kernel/audit.c | 2 ++ arch/s390/kernel/compat_audit.c| 2 ++ arch/sparc/kernel/audit.c | 2 ++ arch/sparc/kernel/compat_audit.c | 2 ++ arch/x86/ia32/audit.c | 2 ++ arch/x86/kernel/audit_64.c | 2 ++ include/linux/auditscm.h | 1 + kernel/auditsc.c | 3 +++ lib/audit.c| 4 lib/compat_audit.c | 4 16 files changed, 36 insertions(+) diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 81cbd804e375..3ab04709784a 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index dba6a74c9ab3..ec61f20ca61f 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 14244e83db75..f420b5552140 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 0c181bb39f34..02cfd9d1ebeb 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index 6eb18ef77dff..1bcfca5fdf67 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index f250777f6365..1fa0c902be8a 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index 7e331e1831d4..02051a596b87 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index b2a2ed5d605a..320b5e7d96f0 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/sparc/kernel/audit.c b/
[PATCH v3 1/3] audit: replace magic audit syscall class numbers with macros
Replace audit syscall class magic numbers with macros. This required putting the macros into new header file include/linux/auditscm.h since the syscall macros were included for both 64 bit and 32 bit in any compat code, causing redefinition warnings. Signed-off-by: Richard Guy Briggs --- MAINTAINERS| 1 + arch/alpha/kernel/audit.c | 8 arch/ia64/kernel/audit.c | 8 arch/parisc/kernel/audit.c | 8 arch/parisc/kernel/compat_audit.c | 9 + arch/powerpc/kernel/audit.c| 10 +- arch/powerpc/kernel/compat_audit.c | 11 ++- arch/s390/kernel/audit.c | 10 +- arch/s390/kernel/compat_audit.c| 11 ++- arch/sparc/kernel/audit.c | 10 +- arch/sparc/kernel/compat_audit.c | 11 ++- arch/x86/ia32/audit.c | 11 ++- arch/x86/kernel/audit_64.c | 8 include/linux/audit.h | 1 + include/linux/auditscm.h | 23 +++ kernel/auditsc.c | 12 ++-- lib/audit.c| 10 +- lib/compat_audit.c | 11 ++- 18 files changed, 102 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditscm.h diff --git a/MAINTAINERS b/MAINTAINERS index 1249655459d3..2db1dc94888f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2981,6 +2981,7 @@ W:https://github.com/linux-audit T: git git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git F: include/asm-generic/audit_*.h F: include/linux/audit.h +F: include/linux/auditscm.h F: include/uapi/linux/audit.h F: kernel/audit* F: lib/*audit.c diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 96a9d18ff4c4..81cbd804e375 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 5192ca899fe6..dba6a74c9ab3 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 9eb47b2225d2..14244e83db75 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 20c39c9d86a9..0c181bb39f34 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include #include unsigned int parisc32_dir_class[] = { @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index a27f3d09..6eb18ef77dff 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4
[PATCH v3 0/3] audit: add support for openat2
The openat2(2) syscall was added in v5.6. Add support for openat2 to the audit syscall classifier and for recording openat2 parameters that cannot be captured in the syscall parameters of the SYSCALL record. Supporting userspace code can be found in https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 Supporting test case can be found in https://github.com/linux-audit/audit-testsuite/pull/103 Changelog: v3: - re-add commit descriptions that somehow got dropped - add new file to MAINTAINERS v2: - add include/linux/auditscm.h for audit syscall class macros due to syscall redefinition warnings: arch/x86/ia32/audit.c:3: ./include/linux/audit.h:12, ./include/linux/sched.h:22, ./include/linux/seccomp.h:21, ./arch/x86/include/asm/seccomp.h:5, ./arch/x86/include/asm/unistd.h:20, ./arch/x86/include/generated/uapi/asm/unistd_64.h:4: warning: "__NR_read" redefined #define __NR_read 0 ... ./arch/x86/include/generated/uapi/asm/unistd_64.h:338: warning: "__NR_rseq" redefined #define __NR_rseq 334 previous: arch/x86/ia32/audit.c:2: ./arch/x86/include/generated/uapi/asm/unistd_32.h:7: note: this is the location of the previous definition #define __NR_read 3 ... ./arch/x86/include/generated/uapi/asm/unistd_32.h:386: note: this is the location of the previous definition #define __NR_rseq 386 Richard Guy Briggs (3): audit: replace magic audit syscall class numbers with macros audit: add support for the openat2 syscall audit: add OPENAT2 record to list how MAINTAINERS| 1 + arch/alpha/kernel/audit.c | 10 ++ arch/ia64/kernel/audit.c | 10 ++ arch/parisc/kernel/audit.c | 10 ++ arch/parisc/kernel/compat_audit.c | 11 +++ arch/powerpc/kernel/audit.c| 12 +++- arch/powerpc/kernel/compat_audit.c | 13 - arch/s390/kernel/audit.c | 12 +++- arch/s390/kernel/compat_audit.c| 13 - arch/sparc/kernel/audit.c | 12 +++- arch/sparc/kernel/compat_audit.c | 13 - arch/x86/ia32/audit.c | 13 - arch/x86/kernel/audit_64.c | 10 ++ fs/open.c | 2 ++ include/linux/audit.h | 11 +++ include/linux/auditscm.h | 24 +++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c | 31 -- lib/audit.c| 14 +- lib/compat_audit.c | 15 ++- 21 files changed, 169 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditscm.h -- 2.27.0
Re: [PATCH v2 0/3] audit: add support for openat2
On 2021-04-30 13:29, Richard Guy Briggs wrote: > The openat2(2) syscall was added in v5.6. Add support for openat2 to the > audit syscall classifier and for recording openat2 parameters that cannot > be captured in the syscall parameters of the SYSCALL record. Well, that was a bit premature... Commit descriptions in each of the patches might be a good idea... Somehow they got dropped from V1. I guess they seemed obvious to me. :-)Changelog might be a nice addition too... Sorry for the noise. > Supporting userspace code can be found in > https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 > > Supporting test case can be found in > https://github.com/linux-audit/audit-testsuite/pull/103 > > Richard Guy Briggs (3): > audit: replace magic audit syscall class numbers with macros > audit: add support for the openat2 syscall > audit: add OPENAT2 record to list how > > arch/alpha/kernel/audit.c | 10 ++ > arch/ia64/kernel/audit.c | 10 ++ > arch/parisc/kernel/audit.c | 10 ++ > arch/parisc/kernel/compat_audit.c | 11 +++ > arch/powerpc/kernel/audit.c| 12 +++- > arch/powerpc/kernel/compat_audit.c | 13 - > arch/s390/kernel/audit.c | 12 +++- > arch/s390/kernel/compat_audit.c| 13 - > arch/sparc/kernel/audit.c | 12 +++- > arch/sparc/kernel/compat_audit.c | 13 - > arch/x86/ia32/audit.c | 13 - > arch/x86/kernel/audit_64.c | 10 ++ > fs/open.c | 2 ++ > include/linux/audit.h | 11 +++ > include/linux/auditscm.h | 24 +++ > include/uapi/linux/audit.h | 1 + > kernel/audit.h | 2 ++ > kernel/auditsc.c | 31 -- > lib/audit.c| 14 +- > lib/compat_audit.c | 15 ++- > 20 files changed, 168 insertions(+), 71 deletions(-) > create mode 100644 include/linux/auditscm.h > > -- > 2.27.0 > - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635
[PATCH v2 2/3] audit: add support for the openat2 syscall
Signed-off-by: Richard Guy Briggs --- arch/alpha/kernel/audit.c | 2 ++ arch/ia64/kernel/audit.c | 2 ++ arch/parisc/kernel/audit.c | 2 ++ arch/parisc/kernel/compat_audit.c | 2 ++ arch/powerpc/kernel/audit.c| 2 ++ arch/powerpc/kernel/compat_audit.c | 2 ++ arch/s390/kernel/audit.c | 2 ++ arch/s390/kernel/compat_audit.c| 2 ++ arch/sparc/kernel/audit.c | 2 ++ arch/sparc/kernel/compat_audit.c | 2 ++ arch/x86/ia32/audit.c | 2 ++ arch/x86/kernel/audit_64.c | 2 ++ include/linux/auditscm.h | 1 + kernel/auditsc.c | 3 +++ lib/audit.c| 4 lib/compat_audit.c | 4 16 files changed, 36 insertions(+) diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 81cbd804e375..3ab04709784a 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index dba6a74c9ab3..ec61f20ca61f 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 14244e83db75..f420b5552140 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 0c181bb39f34..02cfd9d1ebeb 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -36,6 +36,8 @@ int parisc32_classify_syscall(unsigned syscall) return AUDITSC_OPENAT; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index 6eb18ef77dff..1bcfca5fdf67 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index f250777f6365..1fa0c902be8a 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -39,6 +39,8 @@ int ppc32_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index 7e331e1831d4..02051a596b87 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_NATIVE; } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index b2a2ed5d605a..320b5e7d96f0 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -40,6 +40,8 @@ int s390_classify_syscall(unsigned syscall) return AUDITSC_SOCKETCALL; case __NR_execve: return AUDITSC_EXECVE; + case __NR_openat2: + return AUDITSC_OPENAT2; default: return AUDITSC_COMPAT; } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index 50fab35bdaba..b092274eca79 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) return AUDITSC_SOCKETCALL
[PATCH v2 1/3] audit: replace magic audit syscall class numbers with macros
Replace the magic numbers used to indicate audit syscall classes with macros. Signed-off-by: Richard Guy Briggs --- arch/alpha/kernel/audit.c | 8 arch/ia64/kernel/audit.c | 8 arch/parisc/kernel/audit.c | 8 arch/parisc/kernel/compat_audit.c | 9 + arch/powerpc/kernel/audit.c| 10 +- arch/powerpc/kernel/compat_audit.c | 11 ++- arch/s390/kernel/audit.c | 10 +- arch/s390/kernel/compat_audit.c| 11 ++- arch/sparc/kernel/audit.c | 10 +- arch/sparc/kernel/compat_audit.c | 11 ++- arch/x86/ia32/audit.c | 11 ++- arch/x86/kernel/audit_64.c | 8 include/linux/audit.h | 1 + include/linux/auditscm.h | 23 +++ kernel/auditsc.c | 12 ++-- lib/audit.c| 10 +- lib/compat_audit.c | 11 ++- 17 files changed, 101 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditscm.h diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 96a9d18ff4c4..81cbd804e375 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 5192ca899fe6..dba6a74c9ab3 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 9eb47b2225d2..14244e83db75 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 20c39c9d86a9..0c181bb39f34 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#include #include unsigned int parisc32_dir_class[] = { @@ -30,12 +31,12 @@ int parisc32_classify_syscall(unsigned syscall) { switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 1; + return AUDITSC_COMPAT; } } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index a27f3d09..6eb18ef77dff 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -47,15 +47,15 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_socketcall: - return 4; + return AUDITSC_SOCKETCALL; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index 55c6ccda0a85..f250777f6365 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -1,5 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #undef __powerpc64__ +#include #include unsigned ppc32_dir_class[] = { @@ -31,14 +32,14 @@ int ppc32_classify_syscall(unsigned syscall) { switch(syscall
[PATCH v2 0/3] audit: add support for openat2
The openat2(2) syscall was added in v5.6. Add support for openat2 to the audit syscall classifier and for recording openat2 parameters that cannot be captured in the syscall parameters of the SYSCALL record. Supporting userspace code can be found in https://github.com/rgbriggs/audit-userspace/tree/ghau-openat2 Supporting test case can be found in https://github.com/linux-audit/audit-testsuite/pull/103 Richard Guy Briggs (3): audit: replace magic audit syscall class numbers with macros audit: add support for the openat2 syscall audit: add OPENAT2 record to list how arch/alpha/kernel/audit.c | 10 ++ arch/ia64/kernel/audit.c | 10 ++ arch/parisc/kernel/audit.c | 10 ++ arch/parisc/kernel/compat_audit.c | 11 +++ arch/powerpc/kernel/audit.c| 12 +++- arch/powerpc/kernel/compat_audit.c | 13 - arch/s390/kernel/audit.c | 12 +++- arch/s390/kernel/compat_audit.c| 13 - arch/sparc/kernel/audit.c | 12 +++- arch/sparc/kernel/compat_audit.c | 13 - arch/x86/ia32/audit.c | 13 - arch/x86/kernel/audit_64.c | 10 ++ fs/open.c | 2 ++ include/linux/audit.h | 11 +++ include/linux/auditscm.h | 24 +++ include/uapi/linux/audit.h | 1 + kernel/audit.h | 2 ++ kernel/auditsc.c | 31 -- lib/audit.c| 14 +- lib/compat_audit.c | 15 ++- 20 files changed, 168 insertions(+), 71 deletions(-) create mode 100644 include/linux/auditscm.h -- 2.27.0
Re: [PATCH 1/2] audit: add support for the openat2 syscall
On 2021-03-18 08:08, Richard Guy Briggs wrote: > On 2021-03-18 11:48, Christian Brauner wrote: > > [+Cc Aleksa, the author of openat2()] > > Ah! Thanks for pulling in Aleksa. I thought I caught everyone... > > > and a comment below. :) > > Same... > > > On Wed, Mar 17, 2021 at 09:47:17PM -0400, Richard Guy Briggs wrote: > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > ("open: introduce openat2(2) syscall") > > > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > > > See the github issue > > > https://github.com/linux-audit/audit-kernel/issues/67 > > > > > > Signed-off-by: Richard Guy Briggs > > > --- > > > arch/alpha/kernel/audit.c | 2 ++ > > > arch/ia64/kernel/audit.c | 2 ++ > > > arch/parisc/kernel/audit.c | 2 ++ > > > arch/parisc/kernel/compat_audit.c | 2 ++ > > > arch/powerpc/kernel/audit.c| 2 ++ > > > arch/powerpc/kernel/compat_audit.c | 2 ++ > > > arch/s390/kernel/audit.c | 2 ++ > > > arch/s390/kernel/compat_audit.c| 2 ++ > > > arch/sparc/kernel/audit.c | 2 ++ > > > arch/sparc/kernel/compat_audit.c | 2 ++ > > > arch/x86/ia32/audit.c | 2 ++ > > > arch/x86/kernel/audit_64.c | 2 ++ > > > kernel/auditsc.c | 3 +++ > > > lib/audit.c| 4 > > > lib/compat_audit.c | 4 > > > 15 files changed, 35 insertions(+) > > > > > > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > > > index 96a9d18ff4c4..06a911b685d1 100644 > > > --- a/arch/alpha/kernel/audit.c > > > +++ b/arch/alpha/kernel/audit.c > > > @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > > > return 3; > > > case __NR_execve: > > > return 5; > > > + case __NR_openat2: > > > + return 6; > > > default: > > > return 0; > > > } > > > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > > > index 5192ca899fe6..5eaa888c8fd3 100644 > > > --- a/arch/ia64/kernel/audit.c > > > +++ b/arch/ia64/kernel/audit.c > > > @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > > > return 3; > > > case __NR_execve: > > > return 5; > > > + case __NR_openat2: > > > + return 6; > > > default: > > > return 0; > > > } > > > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > > > index 9eb47b2225d2..fc721a7727ba 100644 > > > --- a/arch/parisc/kernel/audit.c > > > +++ b/arch/parisc/kernel/audit.c > > > @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > > > return 3; > > > case __NR_execve: > > > return 5; > > > + case __NR_openat2: > > > + return 6; > > > default: > > > return 0; > > > } > > > diff --git a/arch/parisc/kernel/compat_audit.c > > > b/arch/parisc/kernel/compat_audit.c > > > index 20c39c9d86a9..fc6d35918c44 100644 > > > --- a/arch/parisc/kernel/compat_audit.c > > > +++ b/arch/parisc/kernel/compat_audit.c > > > @@ -35,6 +35,8 @@ int parisc32_classify_syscall(unsigned syscall) > > > return 3; > > > case __NR_execve: > > > return 5; > > > + case __NR_openat2: > > > + return 6; > > > default: > > > return 1; > > > } > > > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > > > index a27f3d09..8f32700b0baa 100644 > > > --- a/arch/powerpc/kernel/audit.c > > > +++ b/arch/powerpc/kernel/audit.c > > > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > > > return 4; > > > case __NR_execve: > > > return 5; > > > + case __NR_openat2: > > > + return 6; > > > default: > > > return 0; > > > } > > > diff --git a/arch/powerpc/kernel/compat_audit.c > > > b/arch/powerpc/kernel/compat_audit.c > > > index 55c6ccda0a85..ebe45534b1c9 100644 > > > --- a/arch/powerpc/kernel/compat_audit.c > > > +++ b/arch/powerpc/kernel/compat_audit.c > > > @@ -38,6 +38,
Re: [PATCH 1/2] audit: add support for the openat2 syscall
On 2021-03-18 11:48, Christian Brauner wrote: > [+Cc Aleksa, the author of openat2()] Ah! Thanks for pulling in Aleksa. I thought I caught everyone... > and a comment below. :) Same... > On Wed, Mar 17, 2021 at 09:47:17PM -0400, Richard Guy Briggs wrote: > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > ("open: introduce openat2(2) syscall") > > > > Add the openat2(2) syscall to the audit syscall classifier. > > > > See the github issue > > https://github.com/linux-audit/audit-kernel/issues/67 > > > > Signed-off-by: Richard Guy Briggs > > --- > > arch/alpha/kernel/audit.c | 2 ++ > > arch/ia64/kernel/audit.c | 2 ++ > > arch/parisc/kernel/audit.c | 2 ++ > > arch/parisc/kernel/compat_audit.c | 2 ++ > > arch/powerpc/kernel/audit.c| 2 ++ > > arch/powerpc/kernel/compat_audit.c | 2 ++ > > arch/s390/kernel/audit.c | 2 ++ > > arch/s390/kernel/compat_audit.c| 2 ++ > > arch/sparc/kernel/audit.c | 2 ++ > > arch/sparc/kernel/compat_audit.c | 2 ++ > > arch/x86/ia32/audit.c | 2 ++ > > arch/x86/kernel/audit_64.c | 2 ++ > > kernel/auditsc.c | 3 +++ > > lib/audit.c| 4 > > lib/compat_audit.c | 4 > > 15 files changed, 35 insertions(+) > > > > diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c > > index 96a9d18ff4c4..06a911b685d1 100644 > > --- a/arch/alpha/kernel/audit.c > > +++ b/arch/alpha/kernel/audit.c > > @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > > return 3; > > case __NR_execve: > > return 5; > > + case __NR_openat2: > > + return 6; > > default: > > return 0; > > } > > diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c > > index 5192ca899fe6..5eaa888c8fd3 100644 > > --- a/arch/ia64/kernel/audit.c > > +++ b/arch/ia64/kernel/audit.c > > @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > > return 3; > > case __NR_execve: > > return 5; > > + case __NR_openat2: > > + return 6; > > default: > > return 0; > > } > > diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c > > index 9eb47b2225d2..fc721a7727ba 100644 > > --- a/arch/parisc/kernel/audit.c > > +++ b/arch/parisc/kernel/audit.c > > @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > > return 3; > > case __NR_execve: > > return 5; > > + case __NR_openat2: > > + return 6; > > default: > > return 0; > > } > > diff --git a/arch/parisc/kernel/compat_audit.c > > b/arch/parisc/kernel/compat_audit.c > > index 20c39c9d86a9..fc6d35918c44 100644 > > --- a/arch/parisc/kernel/compat_audit.c > > +++ b/arch/parisc/kernel/compat_audit.c > > @@ -35,6 +35,8 @@ int parisc32_classify_syscall(unsigned syscall) > > return 3; > > case __NR_execve: > > return 5; > > + case __NR_openat2: > > + return 6; > > default: > > return 1; > > } > > diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c > > index a27f3d09..8f32700b0baa 100644 > > --- a/arch/powerpc/kernel/audit.c > > +++ b/arch/powerpc/kernel/audit.c > > @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) > > return 4; > > case __NR_execve: > > return 5; > > + case __NR_openat2: > > + return 6; > > default: > > return 0; > > } > > diff --git a/arch/powerpc/kernel/compat_audit.c > > b/arch/powerpc/kernel/compat_audit.c > > index 55c6ccda0a85..ebe45534b1c9 100644 > > --- a/arch/powerpc/kernel/compat_audit.c > > +++ b/arch/powerpc/kernel/compat_audit.c > > @@ -38,6 +38,8 @@ int ppc32_classify_syscall(unsigned syscall) > > return 4; > > case __NR_execve: > > return 5; > > + case __NR_openat2: > > + return 6; > > default: > > return 1; > > } > > diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c > > index d395c6c9944c..d964cb94cfaf 100644 > > --- a/arch/s390/kernel/audit.c > > +++ b/arch/s390/kernel/audit.c > > @@ -54,6 +54,8 @@ i
Re: [PATCH 1/2] audit: add support for the openat2 syscall
On 2021-03-18 11:52, Christian Brauner wrote: > On Thu, Mar 18, 2021 at 11:48:45AM +0100, Christian Brauner wrote: > > On Wed, Mar 17, 2021 at 09:47:17PM -0400, Richard Guy Briggs wrote: > > > The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 > > > ("open: introduce openat2(2) syscall") > > > Add the openat2(2) syscall to the audit syscall classifier. > > > See the github issue > > > https://github.com/linux-audit/audit-kernel/issues/67 > > > Signed-off-by: Richard Guy Briggs ... > And one more comment, why return a hard-coded integer from all of these > architectures instead of introducing an enum in a central place with > proper names idk: Oh, believe me, I tried hard to do that because I really don't like hard-coded magic values, but for expediency I continued the same approach until I could sort out the header file mess. There was an extra preparatory patch (attached) in this patchset with a different audit syscall perms patch (also attached). By including "#include " in each of the compat source files there were warnings of redefinitions of every __NR_* syscall number. The easiest way to get rid of it would have been to pull the new AUDITSC_* definitions into a new file and include that from and each of the arch/*/*/*audit.c (and lib/*audit.c) files. > enum audit_match_perm_t { > . > . > . > AUDIT_MATCH_PERM_EXECVE = 5, > AUDIT_MATCH_PERM_OPENAT2 = 6, > . > . > . > } > > Then you can drop these hard-coded comments too and it's way less > brittle overall. Totally agree. > Christian - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 >From 599ae48091296a3ad3eb4259e7af39cdf0f743c7 Mon Sep 17 00:00:00 2001 Message-Id: <599ae48091296a3ad3eb4259e7af39cdf0f743c7.1616067847.git@redhat.com> In-Reply-To: References: From: Richard Guy Briggs Date: Fri, 22 Jan 2021 16:27:42 -0500 Subject: [PATCH 1/3] audit: replace magic audit syscall class numbers with macros Replace the magic numbers used to indicate audit syscall classes with macros. Signed-off-by: Richard Guy Briggs --- arch/alpha/kernel/audit.c | 8 arch/ia64/kernel/audit.c | 8 arch/parisc/kernel/audit.c | 8 arch/parisc/kernel/compat_audit.c | 9 + arch/powerpc/kernel/audit.c| 10 +- arch/powerpc/kernel/compat_audit.c | 11 ++- arch/s390/kernel/audit.c | 10 +- arch/s390/kernel/compat_audit.c| 11 ++- arch/sparc/kernel/audit.c | 10 +- arch/sparc/kernel/compat_audit.c | 11 ++- arch/x86/ia32/audit.c | 11 ++- arch/x86/kernel/audit_64.c | 8 include/linux/audit.h | 7 +++ kernel/auditsc.c | 12 ++-- lib/audit.c| 10 +- lib/compat_audit.c | 11 ++- 16 files changed, 84 insertions(+), 71 deletions(-) diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 96a9d18ff4c4..81cbd804e375 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -37,13 +37,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 5192ca899fe6..dba6a74c9ab3 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -38,13 +38,13 @@ int audit_classify_syscall(int abi, unsigned syscall) { switch(syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDITSC_OPENAT; case __NR_execve: - return 5; + return AUDITSC_EXECVE; default: - return 0; + return AUDITSC_NATIVE; } } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 9eb47b2225d2..14244e83db75 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -47,13 +47,13 @@ int audit_classify_syscall(int abi, unsigned syscall) #endif switch (syscall) { case __NR_open: - return 2; + return AUDITSC_OPEN; case __NR_openat: - return 3; + return AUDIT
[PATCH 1/2] audit: add support for the openat2 syscall
The openat2(2) syscall was added in kernel v5.6 with commit fddb5d430ad9 ("open: introduce openat2(2) syscall") Add the openat2(2) syscall to the audit syscall classifier. See the github issue https://github.com/linux-audit/audit-kernel/issues/67 Signed-off-by: Richard Guy Briggs --- arch/alpha/kernel/audit.c | 2 ++ arch/ia64/kernel/audit.c | 2 ++ arch/parisc/kernel/audit.c | 2 ++ arch/parisc/kernel/compat_audit.c | 2 ++ arch/powerpc/kernel/audit.c| 2 ++ arch/powerpc/kernel/compat_audit.c | 2 ++ arch/s390/kernel/audit.c | 2 ++ arch/s390/kernel/compat_audit.c| 2 ++ arch/sparc/kernel/audit.c | 2 ++ arch/sparc/kernel/compat_audit.c | 2 ++ arch/x86/ia32/audit.c | 2 ++ arch/x86/kernel/audit_64.c | 2 ++ kernel/auditsc.c | 3 +++ lib/audit.c| 4 lib/compat_audit.c | 4 15 files changed, 35 insertions(+) diff --git a/arch/alpha/kernel/audit.c b/arch/alpha/kernel/audit.c index 96a9d18ff4c4..06a911b685d1 100644 --- a/arch/alpha/kernel/audit.c +++ b/arch/alpha/kernel/audit.c @@ -42,6 +42,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return 3; case __NR_execve: return 5; + case __NR_openat2: + return 6; default: return 0; } diff --git a/arch/ia64/kernel/audit.c b/arch/ia64/kernel/audit.c index 5192ca899fe6..5eaa888c8fd3 100644 --- a/arch/ia64/kernel/audit.c +++ b/arch/ia64/kernel/audit.c @@ -43,6 +43,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return 3; case __NR_execve: return 5; + case __NR_openat2: + return 6; default: return 0; } diff --git a/arch/parisc/kernel/audit.c b/arch/parisc/kernel/audit.c index 9eb47b2225d2..fc721a7727ba 100644 --- a/arch/parisc/kernel/audit.c +++ b/arch/parisc/kernel/audit.c @@ -52,6 +52,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return 3; case __NR_execve: return 5; + case __NR_openat2: + return 6; default: return 0; } diff --git a/arch/parisc/kernel/compat_audit.c b/arch/parisc/kernel/compat_audit.c index 20c39c9d86a9..fc6d35918c44 100644 --- a/arch/parisc/kernel/compat_audit.c +++ b/arch/parisc/kernel/compat_audit.c @@ -35,6 +35,8 @@ int parisc32_classify_syscall(unsigned syscall) return 3; case __NR_execve: return 5; + case __NR_openat2: + return 6; default: return 1; } diff --git a/arch/powerpc/kernel/audit.c b/arch/powerpc/kernel/audit.c index a27f3d09..8f32700b0baa 100644 --- a/arch/powerpc/kernel/audit.c +++ b/arch/powerpc/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return 4; case __NR_execve: return 5; + case __NR_openat2: + return 6; default: return 0; } diff --git a/arch/powerpc/kernel/compat_audit.c b/arch/powerpc/kernel/compat_audit.c index 55c6ccda0a85..ebe45534b1c9 100644 --- a/arch/powerpc/kernel/compat_audit.c +++ b/arch/powerpc/kernel/compat_audit.c @@ -38,6 +38,8 @@ int ppc32_classify_syscall(unsigned syscall) return 4; case __NR_execve: return 5; + case __NR_openat2: + return 6; default: return 1; } diff --git a/arch/s390/kernel/audit.c b/arch/s390/kernel/audit.c index d395c6c9944c..d964cb94cfaf 100644 --- a/arch/s390/kernel/audit.c +++ b/arch/s390/kernel/audit.c @@ -54,6 +54,8 @@ int audit_classify_syscall(int abi, unsigned syscall) return 4; case __NR_execve: return 5; + case __NR_openat2: + return 6; default: return 0; } diff --git a/arch/s390/kernel/compat_audit.c b/arch/s390/kernel/compat_audit.c index 444fb1f66944..f7b32933ce0e 100644 --- a/arch/s390/kernel/compat_audit.c +++ b/arch/s390/kernel/compat_audit.c @@ -39,6 +39,8 @@ int s390_classify_syscall(unsigned syscall) return 4; case __NR_execve: return 5; + case __NR_openat2: + return 6; default: return 1; } diff --git a/arch/sparc/kernel/audit.c b/arch/sparc/kernel/audit.c index a6e91bf34d48..b6dcca9c6520 100644 --- a/arch/sparc/kernel/audit.c +++ b/arch/sparc/kernel/audit.c @@ -55,6 +55,8 @@ int audit_classify_syscall(int abi, unsigned int syscall) return 4; case __NR_execve: return 5; + case __NR_openat2: + return 6; default: return 0; } diff --git a/arch/sparc/kernel/compat_audit.c b/arch/sparc/kernel/compat_audit.c index 10
[PATCH V4] powerpc: add little endian flag to syscall_get_arch()
Since both ppc and ppc64 have LE variants which are now reported by uname, add that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC64LE variant. Without this, perf trace and auditctl fail. Mainline kernel reports ppc64le (per a058801) but there is no matching AUDIT_ARCH_PPC64LE. Since 32-bit PPC LE is not supported by audit, don't advertise it in AUDIT_ARCH_PPC* variants. See: https://www.redhat.com/archives/linux-audit/2014-August/msg00082.html https://www.redhat.com/archives/linux-audit/2014-December/msg4.html Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/powerpc/include/asm/syscall.h |6 +- include/uapi/linux/audit.h |2 ++ 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h index 6fa2708..d1934e5 100644 --- a/arch/powerpc/include/asm/syscall.h +++ b/arch/powerpc/include/asm/syscall.h @@ -90,6 +90,10 @@ static inline void syscall_set_arguments(struct task_struct *task, static inline int syscall_get_arch(void) { - return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64; + int arch = is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64; +#ifdef __LITTLE_ENDIAN__ + arch |= __AUDIT_ARCH_LE; +#endif + return arch; } #endif /* _ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4d100c8..d82beec 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -364,7 +364,9 @@ enum { #define AUDIT_ARCH_PARISC (EM_PARISC) #define AUDIT_ARCH_PARISC64(EM_PARISC|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_PPC (EM_PPC) +/* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */ #define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT) +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_S390(EM_S390) #define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_SH (EM_SH) -- 1.7.1 ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH V4] powerpc: add little endian flag to syscall_get_arch()
On 14/12/10, Michael Ellerman wrote: On Tue, 2014-12-09 at 21:11 -0500, Paul Moore wrote: On Tuesday, December 09, 2014 03:37:07 PM Richard Guy Briggs wrote: Since both ppc and ppc64 have LE variants which are now reported by uname, add that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC64LE variant. Without this, perf trace and auditctl fail. Mainline kernel reports ppc64le (per a058801) but there is no matching AUDIT_ARCH_PPC64LE. Since 32-bit PPC LE is not supported by audit, don't advertise it in AUDIT_ARCH_PPC* variants. See: https://www.redhat.com/archives/linux-audit/2014-August/msg00082.html https://www.redhat.com/archives/linux-audit/2014-December/msg4.html Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/powerpc/include/asm/syscall.h |6 +- include/uapi/linux/audit.h |2 ++ 2 files changed, 7 insertions(+), 1 deletions(-) The audit changes look fine to me, but as I mentioned earlier, this should go in via the ppc tree and not the audit tree. Acked-by: Paul Moore p...@paul-moore.com Thanks. Yep I'll take it via the powerpc tree, I'll CC stable as well as presumably we want this to work in all versions that had LE support. Yes, please! (I was very tempted to change the #error to #warning, but figured the placeholder comment in the uapi file was sufficient.) cheers - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
[PATCH V2] powerpc: add little endian flag to syscall_get_arch()
Since both ppc and ppc64 have LE variants which are now reported by uname, add that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC*LE variants. Without this, perf trace and auditctl fail. Mainline kernel reports ppc64le (per a058801) but there is no matching AUDIT_ARCH_PPC64LE. See: https://www.redhat.com/archives/linux-audit/2014-August/msg00082.html https://www.redhat.com/archives/linux-audit/2014-December/msg4.html v1 - v2: Added ; at the end of the #ifdef-protected line so it actually compiles Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/powerpc/include/asm/syscall.h |6 +- include/uapi/linux/audit.h |2 ++ 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h index 6fa2708..d1934e5 100644 --- a/arch/powerpc/include/asm/syscall.h +++ b/arch/powerpc/include/asm/syscall.h @@ -90,6 +90,10 @@ static inline void syscall_set_arguments(struct task_struct *task, static inline int syscall_get_arch(void) { - return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64; + int arch = is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64; +#ifdef __LITTLE_ENDIAN__ + arch |= __AUDIT_ARCH_LE; +#endif + return arch; } #endif /* _ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4d100c8..fe29a99 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -364,7 +364,9 @@ enum { #define AUDIT_ARCH_PARISC (EM_PARISC) #define AUDIT_ARCH_PARISC64(EM_PARISC|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_PPC (EM_PPC) +#define AUDIT_ARCH_PPCLE (EM_PPC|__AUDIT_ARCH_LE) #define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT) +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_S390(EM_S390) #define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_SH (EM_SH) -- 1.7.1 ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
[PATCH V3] powerpc: add little endian flag to syscall_get_arch()
Since both ppc and ppc64 have LE variants which are now reported by uname, add that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC*LE variants. Without this, perf trace and auditctl fail. Mainline kernel reports ppc64le (per a058801) but there is no matching AUDIT_ARCH_PPC64LE. Since 32-bit PPC LE is not supported, throw a compiler error rather than return a bogus architecture to audit. See: https://www.redhat.com/archives/linux-audit/2014-August/msg00082.html https://www.redhat.com/archives/linux-audit/2014-December/msg4.html v2 - v3: Throw a compiler error on 32-bit LE. v1 - v2: Added ; at the end of the #ifdef-protected line so it actually compiles Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/powerpc/include/asm/syscall.h |7 +++ include/uapi/linux/audit.h |1 + 2 files changed, 8 insertions(+), 0 deletions(-) diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h index 6fa2708..cf7fcab 100644 --- a/arch/powerpc/include/asm/syscall.h +++ b/arch/powerpc/include/asm/syscall.h @@ -90,6 +90,13 @@ static inline void syscall_set_arguments(struct task_struct *task, static inline int syscall_get_arch(void) { +#ifdef __LITTLE_ENDIAN__ + return AUDIT_ARCH_PPC64LE; +#ifndef CONFIG_64BIT +#error PPC 32-bit Little Endian architecture not supported. +#endif /* CONFIG_64BIT */ +#else /* __LITTLE_ENDIAN__ */ return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64; +#endif /* __LITTLE_ENDIAN__ */ } #endif /* _ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4d100c8..fa2a6af 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -365,6 +365,7 @@ enum { #define AUDIT_ARCH_PARISC64(EM_PARISC|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_PPC (EM_PPC) #define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT) +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_S390(EM_S390) #define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_SH (EM_SH) -- 1.7.1 ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
[PATCH] powerpc: add little endian flag to syscall_get_arch()
Since both ppc and ppc64 have LE variants which are now reported by uname, add that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC*LE variants. Without this, perf trace and auditctl fail. Mainline kernel reports ppc64le (per a058801) but there is no matching AUDIT_ARCH_PPC64LE. See: https://www.redhat.com/archives/linux-audit/2014-August/msg00082.html https://www.redhat.com/archives/linux-audit/2014-December/msg4.html Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/powerpc/include/asm/syscall.h |6 +- include/uapi/linux/audit.h |2 ++ 2 files changed, 7 insertions(+), 1 deletions(-) diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h index 6fa2708..a58acab 100644 --- a/arch/powerpc/include/asm/syscall.h +++ b/arch/powerpc/include/asm/syscall.h @@ -90,6 +90,10 @@ static inline void syscall_set_arguments(struct task_struct *task, static inline int syscall_get_arch(void) { - return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64; + int arch = is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64; +#ifdef __LITTLE_ENDIAN__ + arch |= __AUDIT_ARCH_LE +#endif + return arch; } #endif /* _ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 4d100c8..fe29a99 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -364,7 +364,9 @@ enum { #define AUDIT_ARCH_PARISC (EM_PARISC) #define AUDIT_ARCH_PARISC64(EM_PARISC|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_PPC (EM_PPC) +#define AUDIT_ARCH_PPCLE (EM_PPC|__AUDIT_ARCH_LE) #define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT) +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_S390(EM_S390) #define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_SH (EM_SH) -- 1.7.1 ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
Re: [PATCH 3/4] ARCH: AUDIT: implement syscall_get_arch for all arches
On 14/03/19, Eric Paris wrote: For all arches which support audit implement syscall_get_arch() They are all pretty easy and straight forward, stolen from how the call to audit_syscall_entry() determines the arch. Signed-off-by: Eric Paris epa...@redhat.com Cc: linux-i...@vger.kernel.org Cc: microblaze-ucli...@itee.uq.edu.au Cc: linux-m...@linux-mips.org Cc: li...@lists.openrisc.net Cc: linux-par...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: sparcli...@vger.kernel.org Acked-by: Richard Guy Briggs r...@redhat.com --- arch/ia64/include/asm/syscall.h | 6 ++ arch/microblaze/include/asm/syscall.h | 5 + arch/mips/include/asm/syscall.h | 2 +- arch/openrisc/include/asm/syscall.h | 5 + arch/parisc/include/asm/syscall.h | 11 +++ arch/powerpc/include/asm/syscall.h| 12 arch/sparc/include/asm/syscall.h | 8 include/uapi/linux/audit.h| 1 + 8 files changed, 49 insertions(+), 1 deletion(-) diff --git a/arch/ia64/include/asm/syscall.h b/arch/ia64/include/asm/syscall.h index a7ff1c6..1d0b875 100644 --- a/arch/ia64/include/asm/syscall.h +++ b/arch/ia64/include/asm/syscall.h @@ -13,6 +13,7 @@ #ifndef _ASM_SYSCALL_H #define _ASM_SYSCALL_H 1 +#include uapi/linux/audit.h #include linux/sched.h #include linux/err.h @@ -79,4 +80,9 @@ static inline void syscall_set_arguments(struct task_struct *task, ia64_syscall_get_set_arguments(task, regs, i, n, args, 1); } + +static inline int syscall_get_arch(void) +{ + return AUDIT_ARCH_IA64; +} #endif /* _ASM_SYSCALL_H */ diff --git a/arch/microblaze/include/asm/syscall.h b/arch/microblaze/include/asm/syscall.h index 9bc4317..53cfaf3 100644 --- a/arch/microblaze/include/asm/syscall.h +++ b/arch/microblaze/include/asm/syscall.h @@ -1,6 +1,7 @@ #ifndef __ASM_MICROBLAZE_SYSCALL_H #define __ASM_MICROBLAZE_SYSCALL_H +#include uapi/linux/audit.h #include linux/kernel.h #include linux/sched.h #include asm/ptrace.h @@ -99,4 +100,8 @@ static inline void syscall_set_arguments(struct task_struct *task, asmlinkage long do_syscall_trace_enter(struct pt_regs *regs); asmlinkage void do_syscall_trace_leave(struct pt_regs *regs); +static inline int syscall_get_arch(void) +{ + return AUDIT_ARCH_MICROBLAZE; +} #endif /* __ASM_MICROBLAZE_SYSCALL_H */ diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h index fc556d8..992b6ab 100644 --- a/arch/mips/include/asm/syscall.h +++ b/arch/mips/include/asm/syscall.h @@ -103,7 +103,7 @@ extern const unsigned long sysn32_call_table[]; static inline int syscall_get_arch(void) { - int arch = EM_MIPS; + int arch = AUDIT_ARCH_MIPS; #ifdef CONFIG_64BIT arch |= __AUDIT_ARCH_64BIT; #endif diff --git a/arch/openrisc/include/asm/syscall.h b/arch/openrisc/include/asm/syscall.h index b752bb6..2db9f1c 100644 --- a/arch/openrisc/include/asm/syscall.h +++ b/arch/openrisc/include/asm/syscall.h @@ -19,6 +19,7 @@ #ifndef __ASM_OPENRISC_SYSCALL_H__ #define __ASM_OPENRISC_SYSCALL_H__ +#include uapi/linux/audit.h #include linux/err.h #include linux/sched.h @@ -71,4 +72,8 @@ syscall_set_arguments(struct task_struct *task, struct pt_regs *regs, memcpy(regs-gpr[3 + i], args, n * sizeof(args[0])); } +static inline int syscall_get_arch(void) +{ + return AUDIT_ARCH_OPENRISC; +} #endif diff --git a/arch/parisc/include/asm/syscall.h b/arch/parisc/include/asm/syscall.h index 8bdfd2c..a5eba95 100644 --- a/arch/parisc/include/asm/syscall.h +++ b/arch/parisc/include/asm/syscall.h @@ -3,6 +3,8 @@ #ifndef _ASM_PARISC_SYSCALL_H_ #define _ASM_PARISC_SYSCALL_H_ +#include uapi/linux/audit.h +#include linux/compat.h #include linux/err.h #include asm/ptrace.h @@ -37,4 +39,13 @@ static inline void syscall_get_arguments(struct task_struct *tsk, } } +static inline int syscall_get_arch(void) +{ + int arch = AUDIT_ARCH_PARISC; +#ifdef CONFIG_64BIT + if (!is_compat_task()) + arch = AUDIT_ARCH_PARISC64; +#endif + return arch; +} #endif /*_ASM_PARISC_SYSCALL_H_*/ diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h index b54b2ad..4271544 100644 --- a/arch/powerpc/include/asm/syscall.h +++ b/arch/powerpc/include/asm/syscall.h @@ -13,6 +13,8 @@ #ifndef _ASM_SYSCALL_H #define _ASM_SYSCALL_H 1 +#include uapi/linux/audit.h +#include linux/compat.h #include linux/sched.h /* ftrace syscalls requires exporting the sys_call_table */ @@ -86,4 +88,14 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(regs-gpr[3 + i], args, n * sizeof(args[0])); } +static inline int syscall_get_arch(void) +{ + int arch = AUDIT_ARCH_PPC; + +#ifdef CONFIG_PPC64 + if (!is_32bit_task()) + arch = AUDIT_ARCH_PPC64; +#endif
Re: [PATCH 4/4] ARCH: AUDIT: audit_syscall_entry() should not require the arch
On 14/03/19, Eric Paris wrote: We have a function where the arch can be queried, syscall_get_arch(). So rather than have every single piece of arch specific code use and/or duplicate syscall_get_arch(), just have the audit code use the syscall_get_arch() code. Signed-off-by: Eric Paris epa...@redhat.com Cc: linux-al...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-i...@vger.kernel.org Cc: microblaze-ucli...@itee.uq.edu.au Cc: linux-m...@linux-mips.org Cc: li...@lists.openrisc.net Cc: linux-par...@vger.kernel.org Cc: linuxppc-dev@lists.ozlabs.org Cc: linux-s...@vger.kernel.org Cc: linux...@vger.kernel.org Cc: sparcli...@vger.kernel.org Cc: user-mode-linux-de...@lists.sourceforge.net Cc: linux-xte...@linux-xtensa.org Cc: x...@kernel.org Acked-by: Richard Guy Briggs r...@redhat.com --- arch/alpha/kernel/ptrace.c | 2 +- arch/arm/kernel/ptrace.c| 4 ++-- arch/ia64/kernel/ptrace.c | 2 +- arch/microblaze/kernel/ptrace.c | 3 +-- arch/mips/kernel/ptrace.c | 4 +--- arch/openrisc/kernel/ptrace.c | 3 +-- arch/parisc/kernel/ptrace.c | 9 +++-- arch/powerpc/kernel/ptrace.c| 7 ++- arch/s390/kernel/ptrace.c | 4 +--- arch/sh/kernel/ptrace_32.c | 14 +- arch/sh/kernel/ptrace_64.c | 17 + arch/sparc/kernel/ptrace_64.c | 9 ++--- arch/um/kernel/ptrace.c | 3 +-- arch/x86/kernel/ptrace.c| 8 ++-- arch/x86/um/asm/ptrace.h| 4 arch/xtensa/kernel/ptrace.c | 2 +- include/linux/audit.h | 7 --- 17 files changed, 25 insertions(+), 77 deletions(-) diff --git a/arch/alpha/kernel/ptrace.c b/arch/alpha/kernel/ptrace.c index 86d8351..d9ee817 100644 --- a/arch/alpha/kernel/ptrace.c +++ b/arch/alpha/kernel/ptrace.c @@ -321,7 +321,7 @@ asmlinkage unsigned long syscall_trace_enter(void) if (test_thread_flag(TIF_SYSCALL_TRACE) tracehook_report_syscall_entry(current_pt_regs())) ret = -1UL; - audit_syscall_entry(AUDIT_ARCH_ALPHA, regs-r0, regs-r16, regs-r17, regs-r18, regs-r19); + audit_syscall_entry(regs-r0, regs-r16, regs-r17, regs-r18, regs-r19); return ret ?: current_pt_regs()-r0; } diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index 0dd3b79..c9d2b34 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -943,8 +943,8 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, scno); - audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs-ARM_r0, regs-ARM_r1, - regs-ARM_r2, regs-ARM_r3); + audit_syscall_entry(scno, regs-ARM_r0, regs-ARM_r1, regs-ARM_r2, + regs-ARM_r3); return scno; } diff --git a/arch/ia64/kernel/ptrace.c b/arch/ia64/kernel/ptrace.c index b7a5fff..6f54d51 100644 --- a/arch/ia64/kernel/ptrace.c +++ b/arch/ia64/kernel/ptrace.c @@ -1219,7 +1219,7 @@ syscall_trace_enter (long arg0, long arg1, long arg2, long arg3, ia64_sync_krbs(); - audit_syscall_entry(AUDIT_ARCH_IA64, regs.r15, arg0, arg1, arg2, arg3); + audit_syscall_entry(regs.r15, arg0, arg1, arg2, arg3); return 0; } diff --git a/arch/microblaze/kernel/ptrace.c b/arch/microblaze/kernel/ptrace.c index 39cf508..bb10637 100644 --- a/arch/microblaze/kernel/ptrace.c +++ b/arch/microblaze/kernel/ptrace.c @@ -147,8 +147,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) */ ret = -1L; - audit_syscall_entry(EM_MICROBLAZE, regs-r12, regs-r5, regs-r6, - regs-r7, regs-r8); + audit_syscall_entry(regs-r12, regs-r5, regs-r6, regs-r7, regs-r8); return ret ?: regs-r12; } diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index 65ba622..c06bb82 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -671,9 +671,7 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs) if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs-regs[2]); - audit_syscall_entry(syscall_get_arch(), - regs-regs[2], - regs-regs[4], regs-regs[5], + audit_syscall_entry(regs-regs[2], regs-regs[4], regs-regs[5], regs-regs[6], regs-regs[7]); } diff --git a/arch/openrisc/kernel/ptrace.c b/arch/openrisc/kernel/ptrace.c index 71a2a0c..4f59fa4 100644 --- a/arch/openrisc/kernel/ptrace.c +++ b/arch/openrisc/kernel/ptrace.c @@ -187,8 +187,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) */ ret = -1L; - audit_syscall_entry(AUDIT_ARCH_OPENRISC, regs-gpr[11], - regs-gpr[3], regs-gpr[4
[PATCH 0/6][RFC] audit: standardize and simplify syscall_get_arch()
Each arch that supports audit requires syscall_get_arch() to able to log and identify architecture-dependent syscall numbers. The information is used in at least two different subsystems, so standardize it in the same call across all arches. Use the standardized syscall_get_arch() locally to add the arch to the AUDIT_SECCOMP record to identify which syscall was issued. Since all the callers of syscall_get_arch() presently pass current and none of the arch-specific syscall_get_arch() implementations use the regs parameter, call syscall_get_arch() locally where it is needed and drop passing around arch, current and regs in __audit_syscall_entry() and audit_syscall_entry(). Compiles and runs on i686, x86_64, ppc, ppc64, s390, s390x, manually tested in an x86_64 VM. aarch64 will be added soon. Richard Guy Briggs (6): syscall: define syscall_get_arch() for each audit-supported arch audit: add arch field to seccomp event log audit: __audit_syscall_entry: ignore arch arg and call syscall_get_arch() directly audit: drop arch from audit_syscall_entry() interface audit: drop args from syscall_get_arch() interface audit: drop arch from __audit_syscall_entry() interface arch/arm/include/asm/syscall.h|5 ++--- arch/arm/kernel/ptrace.c |2 +- arch/ia64/include/asm/syscall.h |6 ++ arch/ia64/kernel/ptrace.c |2 +- arch/microblaze/include/asm/syscall.h |5 + arch/microblaze/kernel/ptrace.c |2 +- arch/mips/include/asm/syscall.h |6 +++--- arch/mips/kernel/ptrace.c |3 +-- arch/openrisc/include/asm/syscall.h |5 + arch/openrisc/kernel/ptrace.c |2 +- arch/parisc/include/asm/syscall.h | 11 +++ arch/parisc/kernel/ptrace.c |5 ++--- arch/powerpc/include/asm/syscall.h| 12 arch/powerpc/kernel/ptrace.c |6 ++ arch/s390/include/asm/syscall.h |7 +++ arch/s390/kernel/ptrace.c |4 +--- arch/sh/include/asm/syscall.h | 16 arch/sh/kernel/ptrace_32.c| 13 + arch/sh/kernel/ptrace_64.c| 16 +--- arch/sparc/include/asm/syscall.h |7 +++ arch/sparc/kernel/ptrace_64.c |5 + arch/um/kernel/ptrace.c |3 +-- arch/x86/ia32/ia32entry.S | 12 ++-- arch/x86/include/asm/syscall.h| 10 -- arch/x86/kernel/entry_32.S| 11 +-- arch/x86/kernel/entry_64.S| 11 +-- arch/x86/kernel/ptrace.c |6 ++ arch/xtensa/kernel/ptrace.c |2 +- include/asm-generic/syscall.h |6 ++ include/linux/audit.h |9 - include/uapi/linux/audit.h|1 + kernel/auditsc.c |6 -- kernel/seccomp.c |4 ++-- 33 files changed, 120 insertions(+), 101 deletions(-) ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
[PATCH 2/6][RFC] audit: add arch field to seccomp event log
The AUDIT_SECCOMP record looks something like this: type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm=test sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0 In order to determine what syscall 231 maps to, we need to have the arch= field right before it. To see the event, compile this test.c program: = int main(void) { return seccomp_load(seccomp_init(SCMP_ACT_KILL)); } = gcc -g test.c -o test -lseccomp After running the program, find the record by: ausearch --start recent -m SECCOMP -i Signed-off-by: Richard Guy Briggs r...@redhat.com --- kernel/auditsc.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3bc12d2..7317f46 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -67,6 +67,7 @@ #include linux/binfmts.h #include linux/highmem.h #include linux/syscalls.h +#include asm/syscall.h #include linux/capability.h #include linux/fs_struct.h #include linux/compat.h @@ -2415,6 +2416,8 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) return; audit_log_task(ab); audit_log_format(ab, sig=%ld, signr); + audit_log_format(ab, arch=%x, +syscall_get_arch(current, task_pt_regs(current))); audit_log_format(ab, syscall=%ld, syscall); audit_log_format(ab, compat=%d, is_compat_task()); audit_log_format(ab, ip=0x%lx, KSTK_EIP(current)); -- 1.7.1 ___ Linuxppc-dev mailing list Linuxppc-dev@lists.ozlabs.org https://lists.ozlabs.org/listinfo/linuxppc-dev
[PATCH 1/6][RFC] syscall: define syscall_get_arch() for each audit-supported arch
Each arch that supports audit requires syscall_get_arch() to able to log and identify architecture-dependent syscall numbers. The information is used in at least two different subsystems, so standardize it in the same call across all arches. Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/ia64/include/asm/syscall.h |7 +++ arch/microblaze/include/asm/syscall.h |6 ++ arch/mips/include/asm/syscall.h |8 +++- arch/openrisc/include/asm/syscall.h |6 ++ arch/parisc/include/asm/syscall.h | 12 arch/powerpc/include/asm/syscall.h| 13 + arch/sh/include/asm/syscall.h | 17 + arch/sparc/include/asm/syscall.h |8 include/uapi/linux/audit.h|1 + 9 files changed, 77 insertions(+), 1 deletions(-) diff --git a/arch/ia64/include/asm/syscall.h b/arch/ia64/include/asm/syscall.h index a7ff1c6..0fd2a7a 100644 --- a/arch/ia64/include/asm/syscall.h +++ b/arch/ia64/include/asm/syscall.h @@ -15,6 +15,7 @@ #include linux/sched.h #include linux/err.h +#include linux/audit.h static inline long syscall_get_nr(struct task_struct *task, struct pt_regs *regs) @@ -79,4 +80,10 @@ static inline void syscall_set_arguments(struct task_struct *task, ia64_syscall_get_set_arguments(task, regs, i, n, args, 1); } + +static inline int syscall_get_arch(struct task_struct *tsk, + struct pt_regs *regs) +{ + return AUDIT_ARCH_IA64; +} #endif /* _ASM_SYSCALL_H */ diff --git a/arch/microblaze/include/asm/syscall.h b/arch/microblaze/include/asm/syscall.h index 9bc4317..06854da 100644 --- a/arch/microblaze/include/asm/syscall.h +++ b/arch/microblaze/include/asm/syscall.h @@ -3,6 +3,7 @@ #include linux/kernel.h #include linux/sched.h +#include linux/audit.h #include asm/ptrace.h /* The system call number is given by the user in R12 */ @@ -99,4 +100,9 @@ static inline void syscall_set_arguments(struct task_struct *task, asmlinkage long do_syscall_trace_enter(struct pt_regs *regs); asmlinkage void do_syscall_trace_leave(struct pt_regs *regs); +static inline int syscall_get_arch(struct tast_struct *tsk, + struct pt_regs *regs) +{ + return AUDIT_ARCH_MICROBLAZE; +} #endif /* __ASM_MICROBLAZE_SYSCALL_H */ diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h index 81c8913..41ecde4 100644 --- a/arch/mips/include/asm/syscall.h +++ b/arch/mips/include/asm/syscall.h @@ -103,7 +103,7 @@ extern const unsigned long sysn32_call_table[]; static inline int __syscall_get_arch(void) { - int arch = EM_MIPS; + int arch = AUDIT_ARCH_MIPS; #ifdef CONFIG_64BIT arch |= __AUDIT_ARCH_64BIT; #endif @@ -113,4 +113,10 @@ static inline int __syscall_get_arch(void) return arch; } +static inline int syscall_get_arch(struct task_struct *task, + struct pt_regs *regs) +{ + return __syscall_get_arch(); +} + #endif /* __ASM_MIPS_SYSCALL_H */ diff --git a/arch/openrisc/include/asm/syscall.h b/arch/openrisc/include/asm/syscall.h index b752bb6..534b9c3 100644 --- a/arch/openrisc/include/asm/syscall.h +++ b/arch/openrisc/include/asm/syscall.h @@ -21,6 +21,7 @@ #include linux/err.h #include linux/sched.h +#include linux/audit.h static inline int syscall_get_nr(struct task_struct *task, struct pt_regs *regs) @@ -71,4 +72,9 @@ syscall_set_arguments(struct task_struct *task, struct pt_regs *regs, memcpy(regs-gpr[3 + i], args, n * sizeof(args[0])); } +static inline int syscall_get_arch(struct task_struct *tsk, + struct pt_regs *regs) +{ + return AUDIT_ARCH_OPENRISC; +} #endif diff --git a/arch/parisc/include/asm/syscall.h b/arch/parisc/include/asm/syscall.h index 8bdfd2c..b3b604f 100644 --- a/arch/parisc/include/asm/syscall.h +++ b/arch/parisc/include/asm/syscall.h @@ -4,6 +4,8 @@ #define _ASM_PARISC_SYSCALL_H_ #include linux/err.h +#include linux/compat.h +#include linux/audit.h #include asm/ptrace.h static inline long syscall_get_nr(struct task_struct *tsk, @@ -37,4 +39,14 @@ static inline void syscall_get_arguments(struct task_struct *tsk, } } +static inline int syscall_get_arch(struct task_struct *tsk, + struct pt_regs *regs) +{ + int arch = AUDIT_ARCH_PARISC; +#ifdef CONFIG_64BIT + if (!is_compat_task()) + arch = AUDIT_ARCH_PARISC64; +#endif + return arch; +} #endif /*_ASM_PARISC_SYSCALL_H_*/ diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h index b54b2ad..b824eb2 100644 --- a/arch/powerpc/include/asm/syscall.h +++ b/arch/powerpc/include/asm/syscall.h @@ -14,6 +14,8 @@ #define _ASM_SYSCALL_H 1 #include linux/sched.h +#include linux/compat.h +#include linux/audit.h /* ftrace syscalls requires exporting
[PATCH 3/6][RFC] audit: __audit_syscall_entry: ignore arch arg and call syscall_get_arch() directly
Since all the callers of syscall_get_arch() presently pass current and none of the arch-specific syscall_get_arch() implementations use the regs parameter, ignore the passed in arch parameter to __audit_syscall_entry() and call syscall_get_arch() directly. Change the audit header file from the kernel internal to the user api version to get the architecture numbers, but to avoid a circular header reference between audit and syscall.h Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/arm/include/asm/syscall.h|2 +- arch/ia64/include/asm/syscall.h |2 +- arch/microblaze/include/asm/syscall.h |2 +- arch/mips/include/asm/syscall.h |2 +- arch/openrisc/include/asm/syscall.h |2 +- arch/parisc/include/asm/syscall.h |2 +- arch/powerpc/include/asm/syscall.h|2 +- arch/s390/include/asm/syscall.h |2 +- arch/sh/include/asm/syscall.h |2 +- arch/sparc/include/asm/syscall.h |2 +- arch/x86/include/asm/syscall.h|2 +- kernel/auditsc.c |2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/arch/arm/include/asm/syscall.h b/arch/arm/include/asm/syscall.h index 73ddd72..a749123 100644 --- a/arch/arm/include/asm/syscall.h +++ b/arch/arm/include/asm/syscall.h @@ -7,7 +7,7 @@ #ifndef _ASM_ARM_SYSCALL_H #define _ASM_ARM_SYSCALL_H -#include linux/audit.h /* for AUDIT_ARCH_* */ +#include uapi/linux/audit.h /* for AUDIT_ARCH_* */ #include linux/elf.h /* for ELF_EM */ #include linux/err.h #include linux/sched.h diff --git a/arch/ia64/include/asm/syscall.h b/arch/ia64/include/asm/syscall.h index 0fd2a7a..9c82767 100644 --- a/arch/ia64/include/asm/syscall.h +++ b/arch/ia64/include/asm/syscall.h @@ -15,7 +15,7 @@ #include linux/sched.h #include linux/err.h -#include linux/audit.h +#include uapi/linux/audit.h static inline long syscall_get_nr(struct task_struct *task, struct pt_regs *regs) diff --git a/arch/microblaze/include/asm/syscall.h b/arch/microblaze/include/asm/syscall.h index 06854da..e1acf8a 100644 --- a/arch/microblaze/include/asm/syscall.h +++ b/arch/microblaze/include/asm/syscall.h @@ -3,7 +3,7 @@ #include linux/kernel.h #include linux/sched.h -#include linux/audit.h +#include uapi/linux/audit.h #include asm/ptrace.h /* The system call number is given by the user in R12 */ diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h index 41ecde4..a8234f2 100644 --- a/arch/mips/include/asm/syscall.h +++ b/arch/mips/include/asm/syscall.h @@ -13,7 +13,7 @@ #ifndef __ASM_MIPS_SYSCALL_H #define __ASM_MIPS_SYSCALL_H -#include linux/audit.h +#include uapi/linux/audit.h #include linux/elf-em.h #include linux/kernel.h #include linux/sched.h diff --git a/arch/openrisc/include/asm/syscall.h b/arch/openrisc/include/asm/syscall.h index 534b9c3..2bbe0e9 100644 --- a/arch/openrisc/include/asm/syscall.h +++ b/arch/openrisc/include/asm/syscall.h @@ -21,7 +21,7 @@ #include linux/err.h #include linux/sched.h -#include linux/audit.h +#include uapi/linux/audit.h static inline int syscall_get_nr(struct task_struct *task, struct pt_regs *regs) diff --git a/arch/parisc/include/asm/syscall.h b/arch/parisc/include/asm/syscall.h index b3b604f..2bf23b1 100644 --- a/arch/parisc/include/asm/syscall.h +++ b/arch/parisc/include/asm/syscall.h @@ -5,7 +5,7 @@ #include linux/err.h #include linux/compat.h -#include linux/audit.h +#include uapi/linux/audit.h #include asm/ptrace.h static inline long syscall_get_nr(struct task_struct *tsk, diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h index b824eb2..36bd9ef 100644 --- a/arch/powerpc/include/asm/syscall.h +++ b/arch/powerpc/include/asm/syscall.h @@ -15,7 +15,7 @@ #include linux/sched.h #include linux/compat.h -#include linux/audit.h +#include uapi/linux/audit.h /* ftrace syscalls requires exporting the sys_call_table */ #ifdef CONFIG_FTRACE_SYSCALLS diff --git a/arch/s390/include/asm/syscall.h b/arch/s390/include/asm/syscall.h index cd29d2f..79d1805 100644 --- a/arch/s390/include/asm/syscall.h +++ b/arch/s390/include/asm/syscall.h @@ -12,7 +12,7 @@ #ifndef _ASM_SYSCALL_H #define _ASM_SYSCALL_H 1 -#include linux/audit.h +#include uapi/linux/audit.h #include linux/sched.h #include linux/err.h #include asm/ptrace.h diff --git a/arch/sh/include/asm/syscall.h b/arch/sh/include/asm/syscall.h index f1a79d4..33e60e0 100644 --- a/arch/sh/include/asm/syscall.h +++ b/arch/sh/include/asm/syscall.h @@ -9,7 +9,7 @@ extern const unsigned long sys_call_table[]; # include asm/syscall_64.h #endif -# include linux/audit.h +# include uapi/linux/audit.h static inline int syscall_get_arch(struct task_struct *tsk, struct pt_regs *regs) diff --git a/arch/sparc/include/asm/syscall.h b/arch/sparc/include/asm/syscall.h index c7a8f75..eddc60e 100644 --- a/arch/sparc/include/asm/syscall.h
[PATCH 4/6][RFC] audit: drop arch from audit_syscall_entry() interface
Make audit_syscall_entry() ignore the arch parameter passed to it and call syscall_get_arch() locally. Remove arch from the audit_syscall_entry() parameter list. Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/arm/kernel/ptrace.c|2 +- arch/ia64/kernel/ptrace.c |2 +- arch/microblaze/kernel/ptrace.c |2 +- arch/mips/kernel/ptrace.c |3 +-- arch/openrisc/kernel/ptrace.c |2 +- arch/parisc/kernel/ptrace.c |5 ++--- arch/powerpc/kernel/ptrace.c|6 ++ arch/s390/kernel/ptrace.c |4 +--- arch/sh/kernel/ptrace_32.c | 13 + arch/sh/kernel/ptrace_64.c | 16 +--- arch/sparc/kernel/ptrace_64.c |5 + arch/um/kernel/ptrace.c |3 +-- arch/x86/kernel/ptrace.c|6 ++ arch/xtensa/kernel/ptrace.c |2 +- include/linux/audit.h |8 +--- 15 files changed, 22 insertions(+), 57 deletions(-) diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index 0dd3b79..24664f5 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c @@ -943,7 +943,7 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno) if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, scno); - audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs-ARM_r0, regs-ARM_r1, + audit_syscall_entry(scno, regs-ARM_r0, regs-ARM_r1, regs-ARM_r2, regs-ARM_r3); return scno; diff --git a/arch/ia64/kernel/ptrace.c b/arch/ia64/kernel/ptrace.c index b7a5fff..6f54d51 100644 --- a/arch/ia64/kernel/ptrace.c +++ b/arch/ia64/kernel/ptrace.c @@ -1219,7 +1219,7 @@ syscall_trace_enter (long arg0, long arg1, long arg2, long arg3, ia64_sync_krbs(); - audit_syscall_entry(AUDIT_ARCH_IA64, regs.r15, arg0, arg1, arg2, arg3); + audit_syscall_entry(regs.r15, arg0, arg1, arg2, arg3); return 0; } diff --git a/arch/microblaze/kernel/ptrace.c b/arch/microblaze/kernel/ptrace.c index 39cf508..0abbb2e 100644 --- a/arch/microblaze/kernel/ptrace.c +++ b/arch/microblaze/kernel/ptrace.c @@ -147,7 +147,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) */ ret = -1L; - audit_syscall_entry(EM_MICROBLAZE, regs-r12, regs-r5, regs-r6, + audit_syscall_entry(regs-r12, regs-r5, regs-r6, regs-r7, regs-r8); return ret ?: regs-r12; diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c index b52e1d2..f68d75f 100644 --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -671,8 +671,7 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs) if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) trace_sys_enter(regs, regs-regs[2]); - audit_syscall_entry(__syscall_get_arch(), - regs-regs[2], + audit_syscall_entry(regs-regs[2], regs-regs[4], regs-regs[5], regs-regs[6], regs-regs[7]); } diff --git a/arch/openrisc/kernel/ptrace.c b/arch/openrisc/kernel/ptrace.c index 71a2a0c..c19cd19 100644 --- a/arch/openrisc/kernel/ptrace.c +++ b/arch/openrisc/kernel/ptrace.c @@ -187,7 +187,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) */ ret = -1L; - audit_syscall_entry(AUDIT_ARCH_OPENRISC, regs-gpr[11], + audit_syscall_entry(regs-gpr[11], regs-gpr[3], regs-gpr[4], regs-gpr[5], regs-gpr[6]); diff --git a/arch/parisc/kernel/ptrace.c b/arch/parisc/kernel/ptrace.c index e842ee2..b2f84e2 100644 --- a/arch/parisc/kernel/ptrace.c +++ b/arch/parisc/kernel/ptrace.c @@ -276,13 +276,12 @@ long do_syscall_trace_enter(struct pt_regs *regs) #ifdef CONFIG_64BIT if (!is_compat_task()) - audit_syscall_entry(AUDIT_ARCH_PARISC64, - regs-gr[20], + audit_syscall_entry(regs-gr[20], regs-gr[26], regs-gr[25], regs-gr[24], regs-gr[23]); else #endif - audit_syscall_entry(AUDIT_ARCH_PARISC, + audit_syscall_entry( regs-gr[20] 0x, regs-gr[26] 0x, regs-gr[25] 0x, diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c index 2e3d2bf..cabc1ca 100644 --- a/arch/powerpc/kernel/ptrace.c +++ b/arch/powerpc/kernel/ptrace.c @@ -1788,14 +1788,12 @@ long do_syscall_trace_enter(struct pt_regs *regs) #ifdef CONFIG_PPC64 if (!is_32bit_task()) - audit_syscall_entry(AUDIT_ARCH_PPC64, - regs-gpr[0], + audit_syscall_entry(regs-gpr[0], regs-gpr[3], regs-gpr[4], regs-gpr[5
[PATCH 6/6][RFC] audit: drop arch from __audit_syscall_entry() interface
Since arch is found locally in __audit_syscall_entry(), there is no need to pass it in as a parameter. Delete it from the parameter list. x86* was the only arch to call __audit_syscall_entry() directly and did so from assembly code. Signed-off-by: Richard Guy Briggs r...@redhat.com --- Can I get some constructive scrutiny from the x86 asm guys here? It has been a long time since I've played with x86 assembly code (and never x86_64). I've done automated build/regression tests on i686 and x86_64, and I've done manual tests on an x86_64 virtual machine and everything appears to work fine. Thanks! arch/x86/ia32/ia32entry.S | 12 ++-- arch/x86/kernel/entry_32.S | 11 +-- arch/x86/kernel/entry_64.S | 11 +-- include/linux/audit.h |7 ++- kernel/auditsc.c |2 +- 5 files changed, 19 insertions(+), 24 deletions(-) diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S index 4299eb0..f5bdd28 100644 --- a/arch/x86/ia32/ia32entry.S +++ b/arch/x86/ia32/ia32entry.S @@ -186,12 +186,12 @@ sysexit_from_sys_call: #ifdef CONFIG_AUDITSYSCALL .macro auditsys_entry_common - movl %esi,%r9d /* 6th arg: 4th syscall arg */ - movl %edx,%r8d /* 5th arg: 3rd syscall arg */ - /* (already in %ecx) 4th arg: 2nd syscall arg */ - movl %ebx,%edx /* 3rd arg: 1st syscall arg */ - movl %eax,%esi /* 2nd arg: syscall number */ - movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ + movl %esi,%r8d /* 5th arg: 4th syscall arg */ + movl %ecx,%r9d /*swap with edx*/ + movl %edx,%ecx /* 4th arg: 3rd syscall arg */ + movl %r9d,%edx /* 3rd arg: 2nd syscall arg */ + movl %ebx,%esi /* 2nd arg: 1st syscall arg */ + movl %eax,%edi /* 1st arg: syscall number */ call __audit_syscall_entry movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ cmpq $(IA32_NR_syscalls-1),%rax diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S index a2a4f46..078053e 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S @@ -456,12 +456,11 @@ sysenter_audit: jnz syscall_trace_entry addl $4,%esp CFI_ADJUST_CFA_OFFSET -4 - /* %esi already in 8(%esp) 6th arg: 4th syscall arg */ - /* %edx already in 4(%esp) 5th arg: 3rd syscall arg */ - /* %ecx already in 0(%esp) 4th arg: 2nd syscall arg */ - movl %ebx,%ecx /* 3rd arg: 1st syscall arg */ - movl %eax,%edx /* 2nd arg: syscall number */ - movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */ + movl %esi,4(%esp) /* 5th arg: 4th syscall arg */ + movl %edx,(%esp)/* 4th arg: 3rd syscall arg */ + /* %ecx already in %ecx3rd arg: 2nd syscall arg */ + movl %ebx,%edx /* 2nd arg: 1st syscall arg */ + /* %eax already in %eax1st arg: syscall number */ call __audit_syscall_entry pushl_cfi %ebx movl PT_EAX(%esp),%eax /* reload syscall number */ diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S index 1e96c36..8292ff7 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S @@ -694,12 +694,11 @@ badsys: * jump back to the normal fast path. */ auditsys: - movq %r10,%r9 /* 6th arg: 4th syscall arg */ - movq %rdx,%r8 /* 5th arg: 3rd syscall arg */ - movq %rsi,%rcx /* 4th arg: 2nd syscall arg */ - movq %rdi,%rdx /* 3rd arg: 1st syscall arg */ - movq %rax,%rsi /* 2nd arg: syscall number */ - movl $AUDIT_ARCH_X86_64,%edi/* 1st arg: audit arch */ + movq %r10,%r8 /* 5th arg: 4th syscall arg */ + movq %rdx,%rcx /* 4th arg: 3rd syscall arg */ + movq %rsi,%rdx /* 3rd arg: 2nd syscall arg */ + movq %rdi,%rsi /* 2nd arg: 1st syscall arg */ + movq %rax,%rdi /* 1st arg: syscall number */ call __audit_syscall_entry LOAD_ARGS 0 /* reload call-clobbered registers */ jmp system_call_fastpath diff --git a/include/linux/audit.h b/include/linux/audit.h index ee452f1..278bc9d 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -27,8 +27,6 @@ #include linux/ptrace.h #include uapi/linux/audit.h -#include asm/syscall.h - struct audit_sig_info { uid_t uid; pid_t pid; @@ -100,8 +98,7 @@ extern void audit_log_session_info(struct audit_buffer *ab); /* Public API */ extern int audit_alloc(struct task_struct
[PATCH 5/6][RFC] audit: drop args from syscall_get_arch() interface
Since all callers of syscall_get_arch() call with task current and none of the arch-dependent functions use the regs parameter (which could just as easily be found with task_pt_regs()), delete both parameters. Signed-off-by: Richard Guy Briggs r...@redhat.com --- arch/arm/include/asm/syscall.h|3 +-- arch/ia64/include/asm/syscall.h |3 +-- arch/microblaze/include/asm/syscall.h |3 +-- arch/mips/include/asm/syscall.h |8 +--- arch/openrisc/include/asm/syscall.h |3 +-- arch/parisc/include/asm/syscall.h |3 +-- arch/powerpc/include/asm/syscall.h|3 +-- arch/s390/include/asm/syscall.h |5 ++--- arch/sh/include/asm/syscall.h |3 +-- arch/sparc/include/asm/syscall.h |3 +-- arch/x86/include/asm/syscall.h|8 +++- include/asm-generic/syscall.h |6 ++ include/linux/audit.h |2 +- kernel/auditsc.c |5 ++--- kernel/seccomp.c |4 ++-- 15 files changed, 21 insertions(+), 41 deletions(-) diff --git a/arch/arm/include/asm/syscall.h b/arch/arm/include/asm/syscall.h index a749123..4651f69 100644 --- a/arch/arm/include/asm/syscall.h +++ b/arch/arm/include/asm/syscall.h @@ -103,8 +103,7 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(regs-ARM_r0 + i, args, n * sizeof(args[0])); } -static inline int syscall_get_arch(struct task_struct *task, - struct pt_regs *regs) +static inline int syscall_get_arch(void) { /* ARM tasks don't change audit architectures on the fly. */ return AUDIT_ARCH_ARM; diff --git a/arch/ia64/include/asm/syscall.h b/arch/ia64/include/asm/syscall.h index 9c82767..1ae443a 100644 --- a/arch/ia64/include/asm/syscall.h +++ b/arch/ia64/include/asm/syscall.h @@ -81,8 +81,7 @@ static inline void syscall_set_arguments(struct task_struct *task, ia64_syscall_get_set_arguments(task, regs, i, n, args, 1); } -static inline int syscall_get_arch(struct task_struct *tsk, - struct pt_regs *regs) +static inline int syscall_get_arch(void) { return AUDIT_ARCH_IA64; } diff --git a/arch/microblaze/include/asm/syscall.h b/arch/microblaze/include/asm/syscall.h index e1acf8a..5292281 100644 --- a/arch/microblaze/include/asm/syscall.h +++ b/arch/microblaze/include/asm/syscall.h @@ -100,8 +100,7 @@ static inline void syscall_set_arguments(struct task_struct *task, asmlinkage long do_syscall_trace_enter(struct pt_regs *regs); asmlinkage void do_syscall_trace_leave(struct pt_regs *regs); -static inline int syscall_get_arch(struct tast_struct *tsk, - struct pt_regs *regs) +static inline int syscall_get_arch(void) { return AUDIT_ARCH_MICROBLAZE; } diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h index a8234f2..992b6ab 100644 --- a/arch/mips/include/asm/syscall.h +++ b/arch/mips/include/asm/syscall.h @@ -101,7 +101,7 @@ extern const unsigned long sys_call_table[]; extern const unsigned long sys32_call_table[]; extern const unsigned long sysn32_call_table[]; -static inline int __syscall_get_arch(void) +static inline int syscall_get_arch(void) { int arch = AUDIT_ARCH_MIPS; #ifdef CONFIG_64BIT @@ -113,10 +113,4 @@ static inline int __syscall_get_arch(void) return arch; } -static inline int syscall_get_arch(struct task_struct *task, - struct pt_regs *regs) -{ - return __syscall_get_arch(); -} - #endif /* __ASM_MIPS_SYSCALL_H */ diff --git a/arch/openrisc/include/asm/syscall.h b/arch/openrisc/include/asm/syscall.h index 2bbe0e9..e598095 100644 --- a/arch/openrisc/include/asm/syscall.h +++ b/arch/openrisc/include/asm/syscall.h @@ -72,8 +72,7 @@ syscall_set_arguments(struct task_struct *task, struct pt_regs *regs, memcpy(regs-gpr[3 + i], args, n * sizeof(args[0])); } -static inline int syscall_get_arch(struct task_struct *tsk, - struct pt_regs *regs) +static inline int syscall_get_arch(void) { return AUDIT_ARCH_OPENRISC; } diff --git a/arch/parisc/include/asm/syscall.h b/arch/parisc/include/asm/syscall.h index 2bf23b1..87cc53d 100644 --- a/arch/parisc/include/asm/syscall.h +++ b/arch/parisc/include/asm/syscall.h @@ -39,8 +39,7 @@ static inline void syscall_get_arguments(struct task_struct *tsk, } } -static inline int syscall_get_arch(struct task_struct *tsk, - struct pt_regs *regs) +static inline int syscall_get_arch(void) { int arch = AUDIT_ARCH_PARISC; #ifdef CONFIG_64BIT diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h index 36bd9ef..616705b 100644 --- a/arch/powerpc/include/asm/syscall.h +++ b/arch/powerpc/include/asm/syscall.h @@ -88,8 +88,7 @@ static inline void syscall_set_arguments(struct task_struct *task
Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
On 14/02/25, AKASHI Takahiro wrote: Currently AUDITSYSCALL has a long list of architecture depencency: depends on AUDIT (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM AEABI !OABI_COMPAT) || ALPHA) The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL for simplicity. Signed-off-by: AKASHI Takahiro takahiro.aka...@linaro.org Acked-by: Richard Guy Briggs r...@redhat.com --- arch/alpha/Kconfig |1 + arch/arm/Kconfig |1 + arch/ia64/Kconfig |1 + arch/parisc/Kconfig|1 + arch/powerpc/Kconfig |1 + arch/s390/Kconfig |1 + arch/sh/Kconfig|1 + arch/sparc/Kconfig |1 + arch/um/Kconfig.common |1 + arch/x86/Kconfig |1 + init/Kconfig |5 - 11 files changed, 14 insertions(+), 1 deletion(-) diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig index f6c6b34..b7ff9a3 100644 --- a/arch/alpha/Kconfig +++ b/arch/alpha/Kconfig @@ -22,6 +22,7 @@ config ALPHA select GENERIC_SMP_IDLE_THREAD select GENERIC_STRNCPY_FROM_USER select GENERIC_STRNLEN_USER + select HAVE_ARCH_AUDITSYSCALL select HAVE_MOD_ARCH_SPECIFIC select MODULES_USE_ELF_RELA select ODD_RT_SIGACTION diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index e254198..ca79340 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -24,6 +24,7 @@ config ARM select GENERIC_STRNCPY_FROM_USER select GENERIC_STRNLEN_USER select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL if (AEABI !OABI_COMPAT) select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL select HAVE_ARCH_KGDB select HAVE_ARCH_SECCOMP_FILTER if (AEABI !OABI_COMPAT) diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig index 0c8e553..5409bf4 100644 --- a/arch/ia64/Kconfig +++ b/arch/ia64/Kconfig @@ -44,6 +44,7 @@ config IA64 select HAVE_MOD_ARCH_SPECIFIC select MODULES_USE_ELF_RELA select ARCH_USE_CMPXCHG_LOCKREF + select HAVE_ARCH_AUDITSYSCALL default y help The Itanium Processor Family is Intel's 64-bit successor to diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig index bb2a8ec..1faefed 100644 --- a/arch/parisc/Kconfig +++ b/arch/parisc/Kconfig @@ -28,6 +28,7 @@ config PARISC select CLONE_BACKWARDS select TTY # Needed for pdc_cons.c select HAVE_DEBUG_STACKOVERFLOW + select HAVE_ARCH_AUDITSYSCALL help The PA-RISC microprocessor is designed by Hewlett-Packard and used diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 957bf34..7b3b8fe 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -141,6 +141,7 @@ config PPC select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK select ARCH_USE_CMPXCHG_LOCKREF if PPC64 + select HAVE_ARCH_AUDITSYSCALL config GENERIC_CSUM def_bool CPU_LITTLE_ENDIAN diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 65a0775..1b58568 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -103,6 +103,7 @@ config S390 select GENERIC_SMP_IDLE_THREAD select GENERIC_TIME_VSYSCALL select HAVE_ALIGNED_STRUCT_PAGE if SLUB + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL if !MARCH_G5 select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_TRACEHOOK diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig index 6357710..4addd87 100644 --- a/arch/sh/Kconfig +++ b/arch/sh/Kconfig @@ -42,6 +42,7 @@ config SUPERH select MODULES_USE_ELF_RELA select OLD_SIGSUSPEND select OLD_SIGACTION + select HAVE_ARCH_AUDITSYSCALL help The SuperH is a RISC processor targeted for use in embedded systems and consumer electronics; it was also used in the Sega Dreamcast diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig index c51efdc..9c74d6b 100644 --- a/arch/sparc/Kconfig +++ b/arch/sparc/Kconfig @@ -77,6 +77,7 @@ config SPARC64 select ARCH_HAVE_NMI_SAFE_CMPXCHG select HAVE_C_RECORDMCOUNT select NO_BOOTMEM + select HAVE_ARCH_AUDITSYSCALL config ARCH_DEFCONFIG string diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common index 21ca44c..6915d28 100644 --- a/arch/um/Kconfig.common +++ b/arch/um/Kconfig.common @@ -1,6 +1,7 @@ config UML bool default y + select HAVE_ARCH_AUDITSYSCALL select HAVE_UID16 select GENERIC_IRQ_SHOW select GENERIC_CPU_DEVICES diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 0af5250..2938365 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -127,6 +127,7 @@ config X86 select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64 select HAVE_CC_STACKPROTECTOR + select HAVE_ARCH_AUDITSYSCALL config INSTRUCTION_DECODER def_bool y diff --git a/init/Kconfig b/init