Re: [RESEND PATCH 1/2] MIPS syscall auditing patches

[Eric Paris <eparis@redhat.com>]

On Wed, 2014-04-02 at 12:13 +0200, Manuel Lauss wrote:
> From: Ralf Baechle <ralf@linux-mips.org>
> 
> this is the first cut of the MIPS auditing patches.  MIPS doesn't quite
> fit into the existing pattern of other architectures and I'd appreciate
> your comments and maybe even an Acked-by.
> 
>  - MIPS syscalls return a success / error flag in register $7.  If the
>    flag is set then the return value in $2 is a *positive* error value.
>    This means the existing AUDITSC_RESULT() macro does not work on
>    MIPS and thus ptrace.c defines it's own version MIPS_AUDITSC_RESULT().

This is not needed (and not used by your patch).  The kernel uses a
combination of is_syscall_success(), regs_return_value(), and
syscall_get_arch().  The first 2 look good, the third looks like it
needs to be reworked a little....

>  - Linux on MIPS extends the traditional syscall table used by older UNIX
>    implementations.  This is why 32-bit Linux syscalls are starting from
>    4000; the native 64-bit syscalls start from 5000 and the N32 compat ABI
>    from 6000.  The existing syscall bitmap is only large enough for at most
>    2048 syscalls, so I had to increase AUDIT_BITMASK_SIZE to 256 which
>    provides enough space for 8192 syscalls.  Because include/linux/audit.h
>    and AUDIT_BITMASK_SIZE are exported to userspace I've used an #ifdef
>    __mips__ for this.

Seems like we have little/no other choice.

>  - I've introduced a flag __AUDIT_ARCH_ALT to indicate an alternative ABI.
>    The name of the flag is intentionally very generic to make the name
>    hopefully fit other architectures' eventual need as well.  On MIPS it
>    indicates the 3rd ABI known as N32.

Sounds about as good as we can do.

>  - To make matters worse, most MIPS processors can be configured to be
>    big or little endian.  Traditionally the the 64-bit little endian
>    configuration is named mips64el, so I've changed references to MIPSEL64
>    in audit.h to MIPS64EL.

Feel free to change it.  We can put the old name back if someone was
potentially using it...

>  - The code treats the little endian MIPS architecture as separate from
>    big endian.  Combined with the 3 ABIs that's 6 combinations.  I tried
>    to sort of follow the example set by ARM which explicitly lists the
>    (rare) big endian architecture variant - but it doesn't seem to very
>    useful so I wonder if this could be squashed to just the three ABIs
>    without consideration of endianess?

Yes, squash.  Assuming the syscall table is the exact same, we don't
actually care.  We send info to userspace in string order, not
endianness order, so it doesn't matter...

>  - Talking about flags; I've defined the the N32 architecture flags were defined
> 
>     #define AUDIT_ARCH_MIPS64_N32  (EM_MIPS|__AUDIT_ARCH_ALT)
>     #define AUDIT_ARCH_MIPS64EL_N32 (EM_MIPS|__AUDIT_ARCH_ALT|__AUDIT_ARCH_LE
> 
>     N32 is a 32-bit ABI but one that only runs on 64-bit processors as it
>     uses 64-bit registers for 64-bit integers.  So I'm uncertain if the
>     __AUDIT_ARCH_64BIT flags should be set or not.

As long as AUDIT_ARCH_MIPS64EL_N32 is uniquely identifiable you are
fine.  I'm assuming the syscall arguments are 64bit long.  So lets just
call it a 64BIT arch...