From: Eric Paris <eparis@redhat.com>
To: Nathaniel Husted <nhusted@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] Kernel: Audit Support For The ARM Platform (Re-post requested)
Date: Wed, 26 Oct 2011 13:07:51 -0400 [thread overview]
Message-ID: <1319648871.3280.40.camel@localhost> (raw)
In-Reply-To: <CACkDPNctrHB5CqkccJCV=0+NzPJY54vb682WFpcXTJqTVY6_=A@mail.gmail.com>
On Wed, 2011-10-26 at 11:42 -0400, Nathaniel Husted wrote:
> This patch provides functionality to audit system call events on the
> ARM platform. The implementation was based off the structure of the
> MIPS platform and information in this
> (http://lists.fedoraproject.org/pipermail/arm/2009-October/000382.html)
> mailing list thread. The required audit_syscall_exit and
> audit_syscall_entry checks were added to ptrace using the standard
> registers for system call values (r0 through r3). A thread information
> flag was added for auditing (TIF_SYSCALL_AUDIT) and a meta-flag was
> added (_TIF_SYSCALL_WORK) to simplify modifications to the syscall
> entry/exit. Now, if either the TRACE flag is set or the AUDIT flag is
> set, the syscall_trace function will be executed. The prober changes
> were made to Kconfig to allow CONFIG_AUDITSYSCALL to be enabled.
>
> Due to platform availability limitations, this patch was only tested
> on the Android platform running the modified "android-goldfish-2.6.29"
> kernel. A test compile was performed using Code Sourcery's
> cross-compilation toolset and the current linux-3.0 stable kernel. The
> changes compile without error. I'm hoping, due to the simple modifications,
> the patch is "obviously correct".
>
> Signed-off-by: Nathaniel Husted <nhusted@gmail.com>
> ---
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/arch/arm/include/asm/thread_info.h
> linux-3.0-modified/arch/arm/include/asm/thread_info.h
> --- linux-3.0-vanilla/arch/arm/include/asm/thread_info.h 2011-07-21
> 19:17:23.000000000 -0700
> +++ linux-3.0-modified/arch/arm/include/asm/thread_info.h 2011-08-02
> 14:04:29.005599252 -0700
> @@ -129,6 +129,7 @@ extern void vfp_flush_hwstate(struct thr
> /*
> * thread information flags:
> * TIF_SYSCALL_TRACE - syscall trace active
> + * TIF_SYSCAL_AUDIT - syscall auditing active
> * TIF_SIGPENDING - signal pending
> * TIF_NEED_RESCHED - rescheduling necessary
> * TIF_NOTIFY_RESUME - callback before returning to user
> @@ -139,6 +140,7 @@ extern void vfp_flush_hwstate(struct thr
> #define TIF_NEED_RESCHED 1
> #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */
> #define TIF_SYSCALL_TRACE 8
> +#define TIF_SYSCALL_AUDIT 9
> #define TIF_POLLING_NRFLAG 16
> #define TIF_USING_IWMMXT 17
> #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
> @@ -150,12 +152,17 @@ extern void vfp_flush_hwstate(struct thr
> #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
> #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
> #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
> +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
> +
> #define _TIF_POLLING_NRFLAG (1 << TIF_POLLING_NRFLAG)
> #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
> #define _TIF_FREEZE (1 << TIF_FREEZE)
> #define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK)
> #define _TIF_SECCOMP (1 << TIF_SECCOMP)
>
> +/* Checks for any syscall work in entry-common.S */
> +#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
> +
> /*
> * Change these and you break ASM code in entry-common.S
> */
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/arch/arm/kernel/entry-common.S
> linux-3.0-modified/arch/arm/kernel/entry-common.S
> --- linux-3.0-vanilla/arch/arm/kernel/entry-common.S 2011-07-21
> 19:17:23.000000000 -0700
> +++ linux-3.0-modified/arch/arm/kernel/entry-common.S 2011-08-02
> 14:01:28.747720225 -0700
> @@ -87,7 +87,7 @@ ENTRY(ret_from_fork)
> get_thread_info tsk
> ldr r1, [tsk, #TI_FLAGS] @ check for syscall tracing
> mov why, #1
> - tst r1, #_TIF_SYSCALL_TRACE @ are we tracing syscalls?
> + tst r1, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
> beq ret_slow_syscall
> mov r1, sp
> mov r0, #1 @ trace exit [IP = 1]
> @@ -443,7 +443,7 @@ ENTRY(vector_swi)
> 1:
> #endif
>
> - tst r10, #_TIF_SYSCALL_TRACE @ are we
> tracing syscalls?
> + tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
> bne __sys_trace
>
> cmp scno, #NR_syscalls @ check upper syscall limit
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/arch/arm/kernel/ptrace.c
> linux-3.0-modified/arch/arm/kernel/ptrace.c
> --- linux-3.0-vanilla/arch/arm/kernel/ptrace.c 2011-07-21
> 19:17:23.000000000 -0700
> +++ linux-3.0-modified/arch/arm/kernel/ptrace.c 2011-08-02
> 14:44:09.949722828 -0700
> @@ -926,11 +926,6 @@ asmlinkage int syscall_trace(int why, st
> {
> unsigned long ip;
>
> - if (!test_thread_flag(TIF_SYSCALL_TRACE))
> - return scno;
> - if (!(current->ptrace & PT_PTRACED))
> - return scno;
> -
> /*
> * Save IP. IP is used to denote syscall entry/exit:
> * IP = 0 -> entry, = 1 -> exit
> @@ -938,6 +933,25 @@ asmlinkage int syscall_trace(int why, st
> ip = regs->ARM_ip;
> regs->ARM_ip = why;
>
> + /* perform a secure computing check first */
> + if (regs->ARM_ip)
> + secure_computing(scno);
What is this part?
> +
> + if (unlikely(current->audit_context)) {
> + if (!ip)
> + audit_syscall_exit(AUDITSC_RESULT(regs->ARM_r0),
> + regs->ARM_r0);
> + else
> + audit_syscall_entry(AUDIT_ARCH_ARMEB, scno,
> + regs->ARM_r0, regs->ARM_r1,
> + regs->ARM_r2, regs->ARM_r3);
> + }
> +
> + if (!test_thread_flag(TIF_SYSCALL_TRACE))
> + return scno;
> + if (!(current->ptrace & PT_PTRACED))
> + return scno;
> +
> current_thread_info()->syscall = scno;
>
> /* the 0x80 provides a way for the tracing parent to distinguish
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/init/Kconfig linux-3.0-modified/init/Kconfig
> --- linux-3.0-vanilla/init/Kconfig 2011-07-21 19:17:23.000000000 -0700
> +++ linux-3.0-modified/init/Kconfig 2011-08-02 14:02:06.359364526 -0700
> @@ -355,7 +355,7 @@ config AUDIT
>
> config AUDITSYSCALL
> bool "Enable system-call auditing support"
> - depends on AUDIT && (X86 || PPC || S390 || IA64 || UML ||
> SPARC64 || SUPERH)
> + depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 ||
> SUPERH || ARM)
> default y if SECURITY_SELINUX
> help
> Enable low-overhead system-call auditing infrastructure that
prev parent reply other threads:[~2011-10-26 17:07 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-26 15:42 [PATCH] Kernel: Audit Support For The ARM Platform (Re-post requested) Nathaniel Husted
2011-10-26 17:07 ` Eric Paris [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1319648871.3280.40.camel@localhost \
--to=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=nhusted@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.