* [PATCH] audit: add arch field to seccomp event log
@ 2014-02-14 20:23 Richard Guy Briggs
2014-02-14 20:49 ` Eric Paris
0 siblings, 1 reply; 11+ messages in thread
From: Richard Guy Briggs @ 2014-02-14 20:23 UTC (permalink / raw)
To: linux-audit, linux-kernel; +Cc: Richard Guy Briggs, Eric Paris, Steve Grubb
The AUDIT_SECCOMP record looks something like this:
type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0
In order to determine what syscall 231 maps to, we need to have the arch= field right before it.
To see the event, compile this test.c program:
=====
int main(void)
{
return seccomp_load(seccomp_init(SCMP_ACT_KILL));
}
=====
gcc -g test.c -o test -lseccomp
After running the program, find the record by: ausearch --start recent -m SECCOMP -i
---
kernel/auditsc.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 6874c1f..c464d44 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2412,6 +2412,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
return;
audit_log_task(ab);
audit_log_format(ab, " sig=%ld", signr);
+ audit_log_format(ab, " arch=%x", current->audit_context->arch);
audit_log_format(ab, " syscall=%ld", syscall);
audit_log_format(ab, " compat=%d", is_compat_task());
audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
--
1.7.1
^ permalink raw reply related [flat|nested] 11+ messages in thread* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-14 20:23 [PATCH] audit: add arch field to seccomp event log Richard Guy Briggs @ 2014-02-14 20:49 ` Eric Paris 2014-02-14 20:50 ` Richard Guy Briggs 0 siblings, 1 reply; 11+ messages in thread From: Eric Paris @ 2014-02-14 20:49 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit, linux-kernel, Steve Grubb On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote: > The AUDIT_SECCOMP record looks something like this: > > type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0 > > In order to determine what syscall 231 maps to, we need to have the arch= field right before it. > > To see the event, compile this test.c program: > > ===== > int main(void) > { > return seccomp_load(seccomp_init(SCMP_ACT_KILL)); > } > ===== > > gcc -g test.c -o test -lseccomp > > After running the program, find the record by: ausearch --start recent -m SECCOMP -i > --- > kernel/auditsc.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 6874c1f..c464d44 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -2412,6 +2412,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) > return; > audit_log_task(ab); > audit_log_format(ab, " sig=%ld", signr); > + audit_log_format(ab, " arch=%x", current->audit_context->arch); What happens if the task does not have current->audit_context allocated? Seems possible if signr is non-zero... > audit_log_format(ab, " syscall=%ld", syscall); > audit_log_format(ab, " compat=%d", is_compat_task()); > audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-14 20:49 ` Eric Paris @ 2014-02-14 20:50 ` Richard Guy Briggs 2014-02-14 20:52 ` Richard Guy Briggs 0 siblings, 1 reply; 11+ messages in thread From: Richard Guy Briggs @ 2014-02-14 20:50 UTC (permalink / raw) To: Eric Paris; +Cc: linux-audit, linux-kernel, Steve Grubb On 14/02/14, Eric Paris wrote: > On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote: > > The AUDIT_SECCOMP record looks something like this: > > > > type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0 > > > > In order to determine what syscall 231 maps to, we need to have the arch= field right before it. > > > > To see the event, compile this test.c program: > > > > ===== > > int main(void) > > { > > return seccomp_load(seccomp_init(SCMP_ACT_KILL)); > > } > > ===== > > > > gcc -g test.c -o test -lseccomp > > > > After running the program, find the record by: ausearch --start recent -m SECCOMP -i > > --- > > kernel/auditsc.c | 1 + > > 1 files changed, 1 insertions(+), 0 deletions(-) > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 6874c1f..c464d44 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -2412,6 +2412,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) > > return; > > audit_log_task(ab); > > audit_log_format(ab, " sig=%ld", signr); > > + audit_log_format(ab, " arch=%x", current->audit_context->arch); > > > What happens if the task does not have current->audit_context allocated? > Seems possible if signr is non-zero... I had assumed that since we got this far, that there was an audit context. This was my first patch: --- kernel/auditsc.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6874c1f..ef16e02 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2406,12 +2406,19 @@ void audit_core_dumps(long signr) void __audit_seccomp(unsigned long syscall, long signr, int code) { struct audit_buffer *ab; + //struct audit_context *context audit_get_context(current, 0, 0); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); if (unlikely(!ab)) return; audit_log_task(ab); audit_log_format(ab, " sig=%ld", signr); + //audit_log_format(ab, " arch="); + //if (context) + //audit_log_format(ab, "(null)"); + //else + //audit_log_format(ab, "%x", context->arch); + audit_log_format(ab, " arch=%x", current->audit_context->arch); audit_log_format(ab, " syscall=%ld", syscall); audit_log_format(ab, " compat=%d", is_compat_task()); audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); -- 1.7.1 > > audit_log_format(ab, " syscall=%ld", syscall); > > audit_log_format(ab, " compat=%d", is_compat_task()); > > audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); > > - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-14 20:50 ` Richard Guy Briggs @ 2014-02-14 20:52 ` Richard Guy Briggs 2014-02-14 21:12 ` Eric Paris 0 siblings, 1 reply; 11+ messages in thread From: Richard Guy Briggs @ 2014-02-14 20:52 UTC (permalink / raw) To: Eric Paris; +Cc: linux-audit, linux-kernel, Steve Grubb On 14/02/14, Richard Guy Briggs wrote: > On 14/02/14, Eric Paris wrote: > > On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote: > > > The AUDIT_SECCOMP record looks something like this: > > > > > > type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0 > > > > > > In order to determine what syscall 231 maps to, we need to have the arch= field right before it. > > > > > > To see the event, compile this test.c program: > > > > > > ===== > > > int main(void) > > > { > > > return seccomp_load(seccomp_init(SCMP_ACT_KILL)); > > > } > > > ===== > > > > > > gcc -g test.c -o test -lseccomp > > > > > > After running the program, find the record by: ausearch --start recent -m SECCOMP -i > > > --- > > > kernel/auditsc.c | 1 + > > > 1 files changed, 1 insertions(+), 0 deletions(-) > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index 6874c1f..c464d44 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -2412,6 +2412,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) > > > return; > > > audit_log_task(ab); > > > audit_log_format(ab, " sig=%ld", signr); > > > + audit_log_format(ab, " arch=%x", current->audit_context->arch); > > > > > > What happens if the task does not have current->audit_context allocated? > > Seems possible if signr is non-zero... > > I had assumed that since we got this far, that there was an audit > context. This was my first patch: Sorry, pulled the trigger too fast: --- kernel/auditsc.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6874c1f..3023d03 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) void __audit_seccomp(unsigned long syscall, long signr, int code) { struct audit_buffer *ab; + struct audit_context *context audit_get_context(current, 0, 0); ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); if (unlikely(!ab)) return; audit_log_task(ab); audit_log_format(ab, " sig=%ld", signr); + audit_log_format(ab, " arch="); + if (context) + audit_log_format(ab, "(null)"); + else + audit_log_format(ab, "%x", context->arch); audit_log_format(ab, " syscall=%ld", syscall); audit_log_format(ab, " compat=%d", is_compat_task()); audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); -- 1.7.1 > - RGB - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-14 20:52 ` Richard Guy Briggs @ 2014-02-14 21:12 ` Eric Paris 2014-02-18 20:50 ` Richard Guy Briggs 0 siblings, 1 reply; 11+ messages in thread From: Eric Paris @ 2014-02-14 21:12 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit, linux-kernel, Steve Grubb On Fri, 2014-02-14 at 15:52 -0500, Richard Guy Briggs wrote: > On 14/02/14, Richard Guy Briggs wrote: > > On 14/02/14, Eric Paris wrote: > > > On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote: > > > > The AUDIT_SECCOMP record looks something like this: > > > > > > > > type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0 > > > > > > > > In order to determine what syscall 231 maps to, we need to have the arch= field right before it. > > > > > > > > To see the event, compile this test.c program: > > > > > > > > ===== > > > > int main(void) > > > > { > > > > return seccomp_load(seccomp_init(SCMP_ACT_KILL)); > > > > } > > > > ===== > > > > > > > > gcc -g test.c -o test -lseccomp > > > > > > > > After running the program, find the record by: ausearch --start recent -m SECCOMP -i > > > > --- > > > > kernel/auditsc.c | 1 + > > > > 1 files changed, 1 insertions(+), 0 deletions(-) > > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > index 6874c1f..c464d44 100644 > > > > --- a/kernel/auditsc.c > > > > +++ b/kernel/auditsc.c > > > > @@ -2412,6 +2412,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) > > > > return; > > > > audit_log_task(ab); > > > > audit_log_format(ab, " sig=%ld", signr); > > > > + audit_log_format(ab, " arch=%x", current->audit_context->arch); > > > > > > > > > What happens if the task does not have current->audit_context allocated? > > > Seems possible if signr is non-zero... > > > > I had assumed that since we got this far, that there was an audit > > context. This was my first patch: > > Sorry, pulled the trigger too fast: > > --- > kernel/auditsc.c | 6 ++++++ > 1 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 6874c1f..3023d03 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) > void __audit_seccomp(unsigned long syscall, long signr, int code) > { > struct audit_buffer *ab; > + struct audit_context *context audit_get_context(current, 0, 0); missing '=' but this isn't what audit_get_context() does... it's crappy naming... I'd think a combo of audit_dummy_context() and current->audit_context would be most appropriate. > ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); > if (unlikely(!ab)) > return; > audit_log_task(ab); > audit_log_format(ab, " sig=%ld", signr); > + audit_log_format(ab, " arch="); > + if (context) > + audit_log_format(ab, "(null)"); > + else > + audit_log_format(ab, "%x", context->arch); > audit_log_format(ab, " syscall=%ld", syscall); > audit_log_format(ab, " compat=%d", is_compat_task()); > audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-14 21:12 ` Eric Paris @ 2014-02-18 20:50 ` Richard Guy Briggs 2014-02-18 20:55 ` Eric Paris 2014-02-18 21:01 ` Steve Grubb 0 siblings, 2 replies; 11+ messages in thread From: Richard Guy Briggs @ 2014-02-18 20:50 UTC (permalink / raw) To: Eric Paris; +Cc: linux-audit, linux-kernel, Steve Grubb On 14/02/14, Eric Paris wrote: > On Fri, 2014-02-14 at 15:52 -0500, Richard Guy Briggs wrote: > > On 14/02/14, Richard Guy Briggs wrote: > > > On 14/02/14, Eric Paris wrote: > > > > On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote: > > > > > The AUDIT_SECCOMP record looks something like this: > > > > > > > > > > type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0 > > > > > > > > > > In order to determine what syscall 231 maps to, we need to have the arch= field right before it. > > > > > > > > > > To see the event, compile this test.c program: > > > > > > > > > > ===== > > > > > int main(void) > > > > > { > > > > > return seccomp_load(seccomp_init(SCMP_ACT_KILL)); > > > > > } > > > > > ===== > > > > > > > > > > gcc -g test.c -o test -lseccomp > > > > > > > > > > After running the program, find the record by: ausearch --start recent -m SECCOMP -i > > > > > --- > > > > > kernel/auditsc.c | 1 + > > > > > 1 files changed, 1 insertions(+), 0 deletions(-) > > > > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > > index 6874c1f..c464d44 100644 > > > > > --- a/kernel/auditsc.c > > > > > +++ b/kernel/auditsc.c > > > > > @@ -2412,6 +2412,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) > > > > > return; > > > > > audit_log_task(ab); > > > > > audit_log_format(ab, " sig=%ld", signr); > > > > > + audit_log_format(ab, " arch=%x", current->audit_context->arch); > > > > > > > > > > > > What happens if the task does not have current->audit_context allocated? > > > > Seems possible if signr is non-zero... > > > > > > I had assumed that since we got this far, that there was an audit > > > context. This was my first patch: > > > > Sorry, pulled the trigger too fast: > > > > --- > > kernel/auditsc.c | 6 ++++++ > > 1 files changed, 6 insertions(+), 0 deletions(-) > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > index 6874c1f..3023d03 100644 > > --- a/kernel/auditsc.c > > +++ b/kernel/auditsc.c > > @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) > > void __audit_seccomp(unsigned long syscall, long signr, int code) > > { > > struct audit_buffer *ab; > > + struct audit_context *context audit_get_context(current, 0, 0); > > missing '=' but this isn't what audit_get_context() does... it's > crappy naming... I'd think a combo of audit_dummy_context() and > current->audit_context would be most appropriate. Ok. I think I finally understand audit_dummy_context(). Thanks for the hint. However, it appears it is not useful in this sitation, since if there is an audit_context, even a dummy context, it appears arch is filled in. diff --git a/kernel/auditsc.c b/kernel/auditsc.c @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) void __audit_seccomp(unsigned long syscall, long signr, int code) { struct audit_buffer *ab; + struct audit_context *context = current->audit_context; ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); if (unlikely(!ab)) return; audit_log_task(ab); audit_log_format(ab, " sig=%ld", signr); + audit_log_format(ab, " arch="); + if (context) + audit_log_format(ab, "%x", context->arch); + else + audit_log_format(ab, "(null)"); audit_log_format(ab, " syscall=%ld", syscall); audit_log_format(ab, " compat=%d", is_compat_task()); audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-18 20:50 ` Richard Guy Briggs @ 2014-02-18 20:55 ` Eric Paris 2014-02-18 21:01 ` Steve Grubb 1 sibling, 0 replies; 11+ messages in thread From: Eric Paris @ 2014-02-18 20:55 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: linux-audit, linux-kernel, Steve Grubb On Tue, 2014-02-18 at 15:50 -0500, Richard Guy Briggs wrote: > On 14/02/14, Eric Paris wrote: > > On Fri, 2014-02-14 at 15:52 -0500, Richard Guy Briggs wrote: > > > On 14/02/14, Richard Guy Briggs wrote: > > > > On 14/02/14, Eric Paris wrote: > > > > > On Fri, 2014-02-14 at 15:23 -0500, Richard Guy Briggs wrote: > > > > > > The AUDIT_SECCOMP record looks something like this: > > > > > > > > > > > > type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0 > > > > > > > > > > > > In order to determine what syscall 231 maps to, we need to have the arch= field right before it. > > > > > > > > > > > > To see the event, compile this test.c program: > > > > > > > > > > > > ===== > > > > > > int main(void) > > > > > > { > > > > > > return seccomp_load(seccomp_init(SCMP_ACT_KILL)); > > > > > > } > > > > > > ===== > > > > > > > > > > > > gcc -g test.c -o test -lseccomp > > > > > > > > > > > > After running the program, find the record by: ausearch --start recent -m SECCOMP -i > > > > > > --- > > > > > > kernel/auditsc.c | 1 + > > > > > > 1 files changed, 1 insertions(+), 0 deletions(-) > > > > > > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > > > index 6874c1f..c464d44 100644 > > > > > > --- a/kernel/auditsc.c > > > > > > +++ b/kernel/auditsc.c > > > > > > @@ -2412,6 +2412,7 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) > > > > > > return; > > > > > > audit_log_task(ab); > > > > > > audit_log_format(ab, " sig=%ld", signr); > > > > > > + audit_log_format(ab, " arch=%x", current->audit_context->arch); > > > > > > > > > > > > > > > What happens if the task does not have current->audit_context allocated? > > > > > Seems possible if signr is non-zero... > > > > > > > > I had assumed that since we got this far, that there was an audit > > > > context. This was my first patch: > > > > > > Sorry, pulled the trigger too fast: > > > > > > --- > > > kernel/auditsc.c | 6 ++++++ > > > 1 files changed, 6 insertions(+), 0 deletions(-) > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > index 6874c1f..3023d03 100644 > > > --- a/kernel/auditsc.c > > > +++ b/kernel/auditsc.c > > > @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) > > > void __audit_seccomp(unsigned long syscall, long signr, int code) > > > { > > > struct audit_buffer *ab; > > > + struct audit_context *context audit_get_context(current, 0, 0); > > > > missing '=' but this isn't what audit_get_context() does... it's > > crappy naming... I'd think a combo of audit_dummy_context() and > > current->audit_context would be most appropriate. > > Ok. I think I finally understand audit_dummy_context(). Thanks for the > hint. However, it appears it is not useful in this sitation, since if > there is an audit_context, even a dummy context, it appears arch is > filled in. get a good commit message and feel free to add my Acked-by. -Eric > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) > void __audit_seccomp(unsigned long syscall, long signr, int code) > { > struct audit_buffer *ab; > + struct audit_context *context = current->audit_context; > > ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); > if (unlikely(!ab)) > return; > audit_log_task(ab); > audit_log_format(ab, " sig=%ld", signr); > + audit_log_format(ab, " arch="); > + if (context) > + audit_log_format(ab, "%x", context->arch); > + else > + audit_log_format(ab, "(null)"); > audit_log_format(ab, " syscall=%ld", syscall); > audit_log_format(ab, " compat=%d", is_compat_task()); > audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); > > - RGB > > -- > Richard Guy Briggs <rbriggs@redhat.com> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-18 20:50 ` Richard Guy Briggs 2014-02-18 20:55 ` Eric Paris @ 2014-02-18 21:01 ` Steve Grubb 2014-02-19 3:15 ` Richard Guy Briggs 1 sibling, 1 reply; 11+ messages in thread From: Steve Grubb @ 2014-02-18 21:01 UTC (permalink / raw) To: Richard Guy Briggs; +Cc: Eric Paris, linux-audit, linux-kernel On Tuesday, February 18, 2014 03:50:44 PM Richard Guy Briggs wrote: > > missing '=' but this isn't what audit_get_context() does... it's > > crappy naming... I'd think a combo of audit_dummy_context() and > > current->audit_context would be most appropriate. > > Ok. I think I finally understand audit_dummy_context(). Thanks for the > hint. However, it appears it is not useful in this sitation, since if > there is an audit_context, even a dummy context, it appears arch is > filled in. > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) > void __audit_seccomp(unsigned long syscall, long signr, int code) > { > struct audit_buffer *ab; > + struct audit_context *context = current->audit_context; > > ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); > if (unlikely(!ab)) > return; > audit_log_task(ab); > audit_log_format(ab, " sig=%ld", signr); > + audit_log_format(ab, " arch="); > + if (context) > + audit_log_format(ab, "%x", context->arch); > + else > + audit_log_format(ab, "(null)"); > audit_log_format(ab, " syscall=%ld", syscall); > audit_log_format(ab, " compat=%d", is_compat_task()); > audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); Is there anything that could be passed by the caller that might identify the syscall ABI when this call was blocked? '(null)' still makes syscall number uninterpretable. -Steve ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-18 21:01 ` Steve Grubb @ 2014-02-19 3:15 ` Richard Guy Briggs 2014-02-19 19:37 ` Richard Guy Briggs 0 siblings, 1 reply; 11+ messages in thread From: Richard Guy Briggs @ 2014-02-19 3:15 UTC (permalink / raw) To: Steve Grubb; +Cc: Eric Paris, linux-audit, linux-kernel On 14/02/18, Steve Grubb wrote: > On Tuesday, February 18, 2014 03:50:44 PM Richard Guy Briggs wrote: > > > missing '=' but this isn't what audit_get_context() does... it's > > > crappy naming... I'd think a combo of audit_dummy_context() and > > > current->audit_context would be most appropriate. > > > > Ok. I think I finally understand audit_dummy_context(). Thanks for the > > hint. However, it appears it is not useful in this sitation, since if > > there is an audit_context, even a dummy context, it appears arch is > > filled in. > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) > > void __audit_seccomp(unsigned long syscall, long signr, int code) > > { > > struct audit_buffer *ab; > > + struct audit_context *context = current->audit_context; > > > > ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); > > if (unlikely(!ab)) > > return; > > audit_log_task(ab); > > audit_log_format(ab, " sig=%ld", signr); > > + audit_log_format(ab, " arch="); > > + if (context) > > + audit_log_format(ab, "%x", context->arch); > > + else > > + audit_log_format(ab, "(null)"); > > audit_log_format(ab, " syscall=%ld", syscall); > > audit_log_format(ab, " compat=%d", is_compat_task()); > > audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); > > Is there anything that could be passed by the caller that might identify the > syscall ABI when this call was blocked? '(null)' still makes syscall number > uninterpretable. This is the way it is done in the existing record that prints a syscall record in audit_log_exit(). It is set by the arch-dependent assembler linkage for __audit_syscall_entry() or set by the arch-dependent ptrace code that calls audit_syscall_entry(). In some arches there are a couple of choices. To pass this in to __audit_seccomp() as an arg, I'd have to add that arg to: __audit_seccomp() audit_seccomp() __secure_computing() secure_computing() As you've pointed out in IRC, there is a syscall_get_arch(current, regs) that could be used to get the arch when an audit context is not yet created. I was just looking for something like that... I am noticing that all arches call a variant of syscall_trace_enter() which first calls secure_computing() [which eventually calls __audit_seccomp()] *before* calling audit_syscall_entry() [which eventually sets context->arch]. So I'm not sure how task->audit_context->arch got set... Perhaps __audit_syscall_entry() should just call syscall_get_arch() instead of lugging it through the stack like it presently does. Is this going to give the same information? (I guess I should be able to answer that question...) > -Steve - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-19 3:15 ` Richard Guy Briggs @ 2014-02-19 19:37 ` Richard Guy Briggs 2014-02-21 23:32 ` Richard Guy Briggs 0 siblings, 1 reply; 11+ messages in thread From: Richard Guy Briggs @ 2014-02-19 19:37 UTC (permalink / raw) To: Steve Grubb; +Cc: Eric Paris, linux-audit, linux-kernel On 14/02/18, Richard Guy Briggs wrote: > On 14/02/18, Steve Grubb wrote: > > On Tuesday, February 18, 2014 03:50:44 PM Richard Guy Briggs wrote: > > > > missing '=' but this isn't what audit_get_context() does... it's > > > > crappy naming... I'd think a combo of audit_dummy_context() and > > > > current->audit_context would be most appropriate. > > > > > > Ok. I think I finally understand audit_dummy_context(). Thanks for the > > > hint. However, it appears it is not useful in this sitation, since if > > > there is an audit_context, even a dummy context, it appears arch is > > > filled in. > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) > > > void __audit_seccomp(unsigned long syscall, long signr, int code) > > > { > > > struct audit_buffer *ab; > > > + struct audit_context *context = current->audit_context; > > > > > > ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); > > > if (unlikely(!ab)) > > > return; > > > audit_log_task(ab); > > > audit_log_format(ab, " sig=%ld", signr); > > > + audit_log_format(ab, " arch="); > > > + if (context) > > > + audit_log_format(ab, "%x", context->arch); > > > + else > > > + audit_log_format(ab, "(null)"); > > > audit_log_format(ab, " syscall=%ld", syscall); > > > audit_log_format(ab, " compat=%d", is_compat_task()); > > > audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); > > > > Is there anything that could be passed by the caller that might identify the > > syscall ABI when this call was blocked? '(null)' still makes syscall number > > uninterpretable. > > This is the way it is done in the existing record that prints a syscall > record in audit_log_exit(). > > It is set by the arch-dependent assembler linkage for > __audit_syscall_entry() or set by the arch-dependent ptrace code that > calls audit_syscall_entry(). In some arches there are a couple of > choices. > > > To pass this in to __audit_seccomp() as an arg, I'd have to add that arg > to: > __audit_seccomp() > audit_seccomp() > __secure_computing() > secure_computing() > > > As you've pointed out in IRC, there is a syscall_get_arch(current, regs) > that could be used to get the arch when an audit context is not yet created. s390x architecture doesn't have it defined. :( > I was just looking for something like that... I am noticing that all > arches call a variant of syscall_trace_enter() which first calls > secure_computing() [which eventually calls __audit_seccomp()] *before* > calling audit_syscall_entry() [which eventually sets context->arch]. So > I'm not sure how task->audit_context->arch got set... Perhaps > __audit_syscall_entry() should just call syscall_get_arch() instead of > lugging it through the stack like it presently does. > > Is this going to give the same information? (I guess I should be able > to answer that question...) > > > -Steve > > - RGB - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] audit: add arch field to seccomp event log 2014-02-19 19:37 ` Richard Guy Briggs @ 2014-02-21 23:32 ` Richard Guy Briggs 0 siblings, 0 replies; 11+ messages in thread From: Richard Guy Briggs @ 2014-02-21 23:32 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit, linux-kernel On 14/02/19, Richard Guy Briggs wrote: > On 14/02/18, Richard Guy Briggs wrote: > > On 14/02/18, Steve Grubb wrote: > > > On Tuesday, February 18, 2014 03:50:44 PM Richard Guy Briggs wrote: > > > > > missing '=' but this isn't what audit_get_context() does... it's > > > > > crappy naming... I'd think a combo of audit_dummy_context() and > > > > > current->audit_context would be most appropriate. > > > > > > > > Ok. I think I finally understand audit_dummy_context(). Thanks for the > > > > hint. However, it appears it is not useful in this sitation, since if > > > > there is an audit_context, even a dummy context, it appears arch is > > > > filled in. > > > > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > @@ -2406,12 +2406,18 @@ void audit_core_dumps(long signr) > > > > void __audit_seccomp(unsigned long syscall, long signr, int code) > > > > { > > > > struct audit_buffer *ab; > > > > + struct audit_context *context = current->audit_context; > > > > > > > > ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_SECCOMP); > > > > if (unlikely(!ab)) > > > > return; > > > > audit_log_task(ab); > > > > audit_log_format(ab, " sig=%ld", signr); > > > > + audit_log_format(ab, " arch="); > > > > + if (context) > > > > + audit_log_format(ab, "%x", context->arch); > > > > + else > > > > + audit_log_format(ab, "(null)"); > > > > audit_log_format(ab, " syscall=%ld", syscall); > > > > audit_log_format(ab, " compat=%d", is_compat_task()); > > > > audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current)); > > > > > > Is there anything that could be passed by the caller that might identify the > > > syscall ABI when this call was blocked? '(null)' still makes syscall number > > > uninterpretable. > > > > This is the way it is done in the existing record that prints a syscall > > record in audit_log_exit(). > > > > It is set by the arch-dependent assembler linkage for > > __audit_syscall_entry() or set by the arch-dependent ptrace code that > > calls audit_syscall_entry(). In some arches there are a couple of > > choices. > > > > > > To pass this in to __audit_seccomp() as an arg, I'd have to add that arg > > to: > > __audit_seccomp() > > audit_seccomp() > > __secure_computing() > > secure_computing() > > > > > > As you've pointed out in IRC, there is a syscall_get_arch(current, regs) > > that could be used to get the arch when an audit context is not yet created. > > s390x architecture doesn't have it defined. :( It is defined, but is having trouble finding it... > > I was just looking for something like that... I am noticing that all > > arches call a variant of syscall_trace_enter() which first calls > > secure_computing() [which eventually calls __audit_seccomp()] *before* > > calling audit_syscall_entry() [which eventually sets context->arch]. So > > I'm not sure how task->audit_context->arch got set... Perhaps > > __audit_syscall_entry() should just call syscall_get_arch() instead of > > lugging it through the stack like it presently does. > > > > Is this going to give the same information? (I guess I should be able > > to answer that question...) > > > > > -Steve > > > > - RGB > > - RGB - RGB -- Richard Guy Briggs <rbriggs@redhat.com> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2014-02-21 23:32 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-02-14 20:23 [PATCH] audit: add arch field to seccomp event log Richard Guy Briggs 2014-02-14 20:49 ` Eric Paris 2014-02-14 20:50 ` Richard Guy Briggs 2014-02-14 20:52 ` Richard Guy Briggs 2014-02-14 21:12 ` Eric Paris 2014-02-18 20:50 ` Richard Guy Briggs 2014-02-18 20:55 ` Eric Paris 2014-02-18 21:01 ` Steve Grubb 2014-02-19 3:15 ` Richard Guy Briggs 2014-02-19 19:37 ` Richard Guy Briggs 2014-02-21 23:32 ` Richard Guy Briggs
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox