From: Eric Paris <eparis@redhat.com>
To: linux-audit@redhat.com
Cc: viro@zeniv.linux.org.uk
Subject: [PATCH 24/26] Kernel: Audit Support For The ARM Platform
Date: Thu, 17 Nov 2011 17:04:59 -0500 [thread overview]
Message-ID: <20111117220459.23481.75637.stgit@paris.rdu.redhat.com> (raw)
In-Reply-To: <20111117220244.23481.96785.stgit@paris.rdu.redhat.com>
From: Nathaniel Husted <nhusted@gmail.com>
This patch provides functionality to audit system call events on the
ARM platform. The implementation was based off the structure of the
MIPS platform and information in this
(http://lists.fedoraproject.org/pipermail/arm/2009-October/000382.html)
mailing list thread. The required audit_syscall_exit and
audit_syscall_entry checks were added to ptrace using the standard
registers for system call values (r0 through r3). A thread information
flag was added for auditing (TIF_SYSCALL_AUDIT) and a meta-flag was
added (_TIF_SYSCALL_WORK) to simplify modifications to the syscall
entry/exit. Now, if either the TRACE flag is set or the AUDIT flag is
set, the syscall_trace function will be executed. The prober changes
were made to Kconfig to allow CONFIG_AUDITSYSCALL to be enabled.
Due to platform availability limitations, this patch was only tested
on the Android platform running the modified "android-goldfish-2.6.29"
kernel. A test compile was performed using Code Sourcery's
cross-compilation toolset and the current linux-3.0 stable kernel. The
changes compile without error. I'm hoping, due to the simple modifications,
the patch is "obviously correct".
Signed-off-by: Nathaniel Husted <nhusted@gmail.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
---
arch/arm/include/asm/kprobes.h | 1 -
arch/arm/include/asm/ptrace.h | 5 +++++
arch/arm/include/asm/thread_info.h | 6 ++++++
arch/arm/kernel/entry-common.S | 4 ++--
arch/arm/kernel/ptrace.c | 16 +++++++++++-----
init/Kconfig | 2 +-
6 files changed, 25 insertions(+), 9 deletions(-)
diff --git a/arch/arm/include/asm/kprobes.h b/arch/arm/include/asm/kprobes.h
index feec867..f82ec22 100644
--- a/arch/arm/include/asm/kprobes.h
+++ b/arch/arm/include/asm/kprobes.h
@@ -24,7 +24,6 @@
#define MAX_INSN_SIZE 2
#define MAX_STACK_SIZE 64 /* 32 would probably be OK */
-#define regs_return_value(regs) ((regs)->ARM_r0)
#define flush_insn_slot(p) do { } while (0)
#define kretprobe_blacklist_size 0
diff --git a/arch/arm/include/asm/ptrace.h b/arch/arm/include/asm/ptrace.h
index 96187ff..451808b 100644
--- a/arch/arm/include/asm/ptrace.h
+++ b/arch/arm/include/asm/ptrace.h
@@ -189,6 +189,11 @@ static inline int valid_user_regs(struct pt_regs *regs)
return 0;
}
+static inline long regs_return_value(struct pt_regs *regs)
+{
+ return regs->ARM_r0;
+}
+
#define instruction_pointer(regs) (regs)->ARM_pc
#ifdef CONFIG_SMP
diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
index 7b5cc8d..fd1d11f 100644
--- a/arch/arm/include/asm/thread_info.h
+++ b/arch/arm/include/asm/thread_info.h
@@ -129,6 +129,7 @@ extern void vfp_flush_hwstate(struct thread_info *);
/*
* thread information flags:
* TIF_SYSCALL_TRACE - syscall trace active
+ * TIF_SYSCAL_AUDIT - syscall auditing active
* TIF_SIGPENDING - signal pending
* TIF_NEED_RESCHED - rescheduling necessary
* TIF_NOTIFY_RESUME - callback before returning to user
@@ -139,6 +140,7 @@ extern void vfp_flush_hwstate(struct thread_info *);
#define TIF_NEED_RESCHED 1
#define TIF_NOTIFY_RESUME 2 /* callback before returning to user */
#define TIF_SYSCALL_TRACE 8
+#define TIF_SYSCALL_AUDIT 9
#define TIF_POLLING_NRFLAG 16
#define TIF_USING_IWMMXT 17
#define TIF_MEMDIE 18 /* is terminating due to OOM killer */
@@ -150,12 +152,16 @@ extern void vfp_flush_hwstate(struct thread_info *);
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
#define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
#define _TIF_POLLING_NRFLAG (1 << TIF_POLLING_NRFLAG)
#define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
#define _TIF_FREEZE (1 << TIF_FREEZE)
#define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK)
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
+/* Checks for any syscall work in entry-common.S */
+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
+
/*
* Change these and you break ASM code in entry-common.S
*/
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index b2a27b6..520889c 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -87,7 +87,7 @@ ENTRY(ret_from_fork)
get_thread_info tsk
ldr r1, [tsk, #TI_FLAGS] @ check for syscall tracing
mov why, #1
- tst r1, #_TIF_SYSCALL_TRACE @ are we tracing syscalls?
+ tst r1, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
beq ret_slow_syscall
mov r1, sp
mov r0, #1 @ trace exit [IP = 1]
@@ -443,7 +443,7 @@ ENTRY(vector_swi)
1:
#endif
- tst r10, #_TIF_SYSCALL_TRACE @ are we tracing syscalls?
+ tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
bne __sys_trace
cmp scno, #NR_syscalls @ check upper syscall limit
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index 483727a..e1d5e19 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -906,11 +906,6 @@ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno)
{
unsigned long ip;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
- return scno;
- if (!(current->ptrace & PT_PTRACED))
- return scno;
-
/*
* Save IP. IP is used to denote syscall entry/exit:
* IP = 0 -> entry, = 1 -> exit
@@ -918,6 +913,17 @@ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno)
ip = regs->ARM_ip;
regs->ARM_ip = why;
+ if (!ip)
+ audit_syscall_exit(regs);
+ else
+ audit_syscall_entry(AUDIT_ARCH_ARMEB, scno, regs->ARM_r0,
+ regs->ARM_r1, regs->ARM_r2, regs->ARM_r3);
+
+ if (!test_thread_flag(TIF_SYSCALL_TRACE))
+ return scno;
+ if (!(current->ptrace & PT_PTRACED))
+ return scno;
+
current_thread_info()->syscall = scno;
/* the 0x80 provides a way for the tracing parent to distinguish
diff --git a/init/Kconfig b/init/Kconfig
index a8a87e5..98ba757 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -355,7 +355,7 @@ config AUDIT
config AUDITSYSCALL
bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH)
+ depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || ARM)
default y if SECURITY_SELINUX
help
Enable low-overhead system-call auditing infrastructure that
next prev parent reply other threads:[~2011-11-17 22:04 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-17 22:02 [PATCH 01/26] audit: make filetype matching consistent with other filters Eric Paris
2011-11-17 22:02 ` [PATCH 02/26] audit: dynamically allocate audit_names when not enough space is in the names array Eric Paris
2011-11-17 22:02 ` [PATCH 03/26] audit: drop the meaningless and format breaking word 'user' Eric Paris
2011-11-17 22:03 ` [PATCH 04/26] audit: check current inode and containing object when filtering on major and minor Eric Paris
2011-11-17 22:03 ` [PATCH 05/26] seccomp: audit abnormal end to a process due to seccomp Eric Paris
2011-11-17 22:03 ` [PATCH 06/26] Audit: push audit success and retcode into arch ptrace.h Eric Paris
2011-11-17 22:03 ` [PATCH 07/26] audit: ia32entry.S sign extend error codes when calling 64 bit code Eric Paris
2011-11-17 22:03 ` [PATCH 08/26] audit: inline audit_syscall_entry to reduce burdon on archs Eric Paris
2011-11-17 22:03 ` [PATCH 09/26] audit: remove AUDIT_SETUP_CONTEXT as it isn't used Eric Paris
2011-11-17 22:03 ` [PATCH 10/26] audit: drop some potentially inadvisable likely notations Eric Paris
2011-11-17 22:03 ` [PATCH 11/26] audit: inline checks for not needing to collect aux records Eric Paris
2011-11-17 22:03 ` [PATCH 12/26] audit: drop audit_set_macxattr as it doesn't do anything Eric Paris
2011-11-17 22:03 ` [PATCH 13/26] audit: inline audit_free to simplify the look of generic code Eric Paris
2011-11-17 22:04 ` [PATCH 14/26] audit: reject entry,always rules Eric Paris
2011-11-17 22:04 ` [PATCH 15/26] audit: remove audit_finish_fork as it can't be called Eric Paris
2011-11-17 22:04 ` [PATCH 16/26] audit: allow matching on obj_uid Eric Paris
2011-11-17 22:04 ` [PATCH 17/26] audit: allow audit matching on inode gid Eric Paris
2011-11-17 22:04 ` [PATCH 18/26] audit: allow interfield comparison in audit rules Eric Paris
2011-11-17 22:04 ` [PATCH 19/26] audit: complex interfield comparison helper Eric Paris
2011-11-17 22:04 ` [PATCH 20/26] audit: allow interfield comparison between gid and ogid Eric Paris
2011-11-17 22:04 ` [PATCH 21/26] audit: remove task argument to audit_set_loginuid Eric Paris
2011-11-17 22:04 ` [PATCH 22/26] audit: only allow tasks to set their loginuid if it is -1 Eric Paris
2011-11-17 22:04 ` [PATCH 23/26] audit: do not call audit_getname on error Eric Paris
2011-11-17 22:04 ` Eric Paris [this message]
2011-11-17 22:05 ` [PATCH 25/26] audit: fix mark refcounting Eric Paris
2011-11-17 22:05 ` [PATCH 26/26] audit: collect path information when possible Eric Paris
2011-11-17 22:47 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111117220459.23481.75637.stgit@paris.rdu.redhat.com \
--to=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox