From: Paul Moore <pmoore@redhat.com>
To: linux-audit@redhat.com
Subject: ABIs, syscall tables, and the AUDIT_ARCH_* defines
Date: Tue, 29 Oct 2013 17:28:59 -0400 [thread overview]
Message-ID: <1497730.rRcDeUs2mQ@sifl> (raw)
Hello all,
I've been dealing with the AUDIT_ARCH_* defines, different ABIs and syscall
tables a fair amount lately as part of libseccomp[1] and a little birdie
thought it might be a good idea to post something to the Linux audit list.
So here we go. I'll try to be brief.
First off, if you already understand that in some cases a given AUDIT_ARCH_*
value can represent multiple ABIs and you are fine with that, feel free to hit
delete now and move on. I'm not trying to argue that what audit is currently
doing is right or wrong, just trying to make things perhaps a bit more clear.
The core issue is that AUDIT_ARCH alone can not be used to specify a given
ABI, all the AUDIT_ARCH value can tell you is the syscall table; which in it's
defense, is all the original source comments claim. However, if you want to
be able to identify an ABI, I'm finding that you need both the AUDIT_ARCH
value and the syscall number (from my experience this hold true for x86,
x86_64, x32, ARM OABI, and ARM EABI, I can't speak for others at this point).
Take x86_64 and x32 as an example (think of x32 as a 32-bit version of
x86_64). Both x32 and x86_64 use the AUDIT_ARCH_X86_64 value and general
calling convention, but they have a different syscall table. The x32 syscall
table is the same as the x86_64 syscall table but with a 0x40000000 offset,
e.g. on x86_64 the write() syscall is 0x01 but on x32 write() is 0x40000001.
The 32-bit ARM ABIs are similar in that the EABI and OABI ABIs share the same
AUDIT_ARCH_ARM value and have similar syscall tables, separated by a 0x900000
offset. With ARM there is some additional oddities between OABI and EABI with
respect to syscall arguments, but I'm still figuring that out myself and it
wouldn't be right for me to talk about that here.
There ya go, hopefully this helps somewhat. If you have any questions I'll do
my best to try and answer them.
-Paul
[1] http://sourceforge.net/projects/libseccomp
--
paul moore
security and virtualization @ redhat
next reply other threads:[~2013-10-29 21:28 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-29 21:28 Paul Moore [this message]
2013-10-29 21:29 ` ABIs, syscall tables, and the AUDIT_ARCH_* defines Eric Paris
2013-10-29 21:56 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1497730.rRcDeUs2mQ@sifl \
--to=pmoore@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox