This patchset adds audit support on arm64. The implementation is just like in other architectures, and so I think little explanation is needed.
I verified this patch with some commands on both 64-bit rootfs and 32-bit rootfs(, but only in little-endian): # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls What else? (Thanks to Clayton for his cross-compiling patch)
I'd like to discuss about the following issues: (issues) * AUDIT_ARCH_* Why do we need to distiguish big-endian and little-endian? [2/4] * AArch32 We need to add a check for identifying the endian in 32-bit tasks. [3/4] * syscall no in AArch32 Currently all the definitions are added in unistd32.h with "ifdef __AARCH32_AUDITSYSCALL" to use asm-generic/audit_*.h. [3/4] "ifdef" is necessary to avoid a conflict with 64-bit definitions. Do we need a more sophisticated way? * TIF_AUDITSYSCALL Most architectures, except x86, do not check TIF_AUDITSYSCALL. Why not? [4/4] * Userspace audit package There are some missing syscall definitions in lib/aarch64_table.h. There is no support for AUDIT_ARCH_ARM (I mean LE. armeb is BE).
AKASHI Takahiro (4): audit: Enable arm64 support arm64: Add audit support arm64: audit: Add AArch32 support arm64: audit: Add audit hook in ptrace/syscall_trace
arch/arm64/Kconfig | 3 + arch/arm64/include/asm/audit32.h | 12 ++ arch/arm64/include/asm/ptrace.h | 5 + arch/arm64/include/asm/syscall.h | 18 ++ arch/arm64/include/asm/thread_info.h | 1 + arch/arm64/include/asm/unistd32.h | 387 ++++++++++++++++++++++++++++++++++ arch/arm64/kernel/Makefile | 4 + arch/arm64/kernel/audit.c | 77 +++++++ arch/arm64/kernel/audit32.c | 46 ++++ arch/arm64/kernel/entry.S | 3 + arch/arm64/kernel/ptrace.c | 12 ++ include/uapi/linux/audit.h | 2 + init/Kconfig | 2 +- 13 files changed, 571 insertions(+), 1 deletion(-) create mode 100644 arch/arm64/include/asm/audit32.h create mode 100644 arch/arm64/kernel/audit.c create mode 100644 arch/arm64/kernel/audit32.c
--- include/uapi/linux/audit.h | 2 ++ init/Kconfig | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 75cef3f..6f727c1 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -324,6 +324,8 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) diff --git a/init/Kconfig b/init/Kconfig index 3ecd8a1..2220401 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -284,7 +284,7 @@ config AUDIT
config AUDITSYSCALL bool "Enable system-call auditing support" - depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT)) + depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64) default y if SECURITY_SELINUX help Enable low-overhead system-call auditing infrastructure that
--- arch/arm64/Kconfig | 3 ++ arch/arm64/include/asm/ptrace.h | 5 ++++ arch/arm64/include/asm/syscall.h | 18 ++++++++++++ arch/arm64/kernel/Makefile | 1 + arch/arm64/kernel/audit.c | 59 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 86 insertions(+) create mode 100644 arch/arm64/kernel/audit.c
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index c044548..263c10b 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -46,6 +46,9 @@ config 64BIT config ARCH_PHYS_ADDR_T_64BIT def_bool y
+config AUDIT_ARCH + def_bool y + config MMU def_bool y
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 0dacbbf..964f4f6 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -133,6 +133,11 @@ struct pt_regs { #define user_stack_pointer(regs) \ ((regs)->sp)
+static inline unsigned long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +} + /* * Are the current registers suitable for user mode? (used to maintain * security in signal handlers) diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 89c047f..03040ac 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,10 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <linux/audit.h> #include <linux/err.h> +#include <linux/sched.h> +#include <asm/compat.h>
static inline int syscall_get_nr(struct task_struct *task, @@ -98,4 +101,19 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+static inline int syscall_get_arch(struct task_struct *task, + struct pt_regs *regs) +{ +#ifdef CONFIG_COMPAT + if (is_compat_thread(task_thread_info(task))) + return AUDIT_ARCH_ARM; /* FIXME: big endian? */ +#endif + +#ifdef __AARCH64EB__ + return AUDIT_ARCH_AARCH64EB; +#else + return AUDIT_ARCH_AARCH64; +#endif +} + #endif /* __ASM_SYSCALL_H */ diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile index 7b4b564..3abab29 100644 --- a/arch/arm64/kernel/Makefile +++ b/arch/arm64/kernel/Makefile @@ -11,6 +11,7 @@ arm64-obj-y := cputable.o debug-monitors.o entry.o irq.o fpsimd.o \ sys.o stacktrace.o time.o traps.o io.o vdso.o \ hyp-stub.o psci.o
+arm64-obj-$(CONFIG_AUDIT) += audit.o arm64-obj-$(CONFIG_COMPAT) += sys32.o kuser32.o signal32.o \ sys_compat.o arm64-obj-$(CONFIG_MODULES) += arm64ksyms.o module.o diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c new file mode 100644 index 0000000..9aab2b3 --- /dev/null +++ b/arch/arm64/kernel/audit.c @@ -0,0 +1,59 @@ +#include <linux/audit.h> +#include <linux/init.h> +#include <asm/unistd.h> + +static unsigned dir_class[] = { +#include <asm-generic/audit_dir_write.h> +~0U +}; + +static unsigned read_class[] = { +#include <asm-generic/audit_read.h> +~0U +}; + +static unsigned write_class[] = { +#include <asm-generic/audit_write.h> +~0U +}; + +static unsigned chattr_class[] = { +#include <asm-generic/audit_change_attr.h> +~0U +}; + +static unsigned signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + +int audit_classify_arch(int arch) +{ + return 0; /* native */ +} + +/* AUTH_PERM support */ +int audit_classify_syscall(int abi, unsigned syscall) +{ + switch(syscall) { + case __NR_openat: + return 3; + case __NR_execve: + return 5; + default: + return 0; /* native */ + } +} + +static int __init audit_classes_init(void) +{ + audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); + audit_register_class(AUDIT_CLASS_READ, read_class); + audit_register_class(AUDIT_CLASS_WRITE, write_class); + audit_register_class(AUDIT_CLASS_CHATTR, chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL, signal_class); + + return 0; +} + +__initcall(audit_classes_init);
On Wed, Nov 06, 2013 at 10:25:44AM +0000, AKASHI Takahiro wrote:
diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c new file mode 100644 index 0000000..9aab2b3 --- /dev/null +++ b/arch/arm64/kernel/audit.c @@ -0,0 +1,59 @@ +#include <linux/audit.h> +#include <linux/init.h> +#include <asm/unistd.h>
+static unsigned dir_class[] = { +#include <asm-generic/audit_dir_write.h> +~0U +};
+static unsigned read_class[] = { +#include <asm-generic/audit_read.h> +~0U +};
+static unsigned write_class[] = { +#include <asm-generic/audit_write.h> +~0U +};
+static unsigned chattr_class[] = { +#include <asm-generic/audit_change_attr.h> +~0U +};
+static unsigned signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +};
This looks like a copy of lib/audit.c to me. Why can't we use that instead?
Will
On 11/08/2013 11:43 PM, Will Deacon wrote:
On Wed, Nov 06, 2013 at 10:25:44AM +0000, AKASHI Takahiro wrote:
diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c new file mode 100644 index 0000000..9aab2b3 --- /dev/null +++ b/arch/arm64/kernel/audit.c @@ -0,0 +1,59 @@ +#include <linux/audit.h> +#include <linux/init.h> +#include <asm/unistd.h>
+static unsigned dir_class[] = { +#include <asm-generic/audit_dir_write.h> +~0U +};
+static unsigned read_class[] = { +#include <asm-generic/audit_read.h> +~0U +};
+static unsigned write_class[] = { +#include <asm-generic/audit_write.h> +~0U +};
+static unsigned chattr_class[] = { +#include <asm-generic/audit_change_attr.h> +~0U +};
+static unsigned signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +};
This looks like a copy of lib/audit.c to me. Why can't we use that instead?
As you might notice, we need to have copies both for aarch64 and arch32 (compat system calls).
-Takahiro AKASHI
Will
--- arch/arm64/include/asm/audit32.h | 12 ++ arch/arm64/include/asm/unistd32.h | 387 +++++++++++++++++++++++++++++++++++++ arch/arm64/kernel/Makefile | 3 + arch/arm64/kernel/audit.c | 18 ++ arch/arm64/kernel/audit32.c | 46 +++++ 5 files changed, 466 insertions(+) create mode 100644 arch/arm64/include/asm/audit32.h create mode 100644 arch/arm64/kernel/audit32.c
diff --git a/arch/arm64/include/asm/audit32.h b/arch/arm64/include/asm/audit32.h new file mode 100644 index 0000000..debfe57 --- /dev/null +++ b/arch/arm64/include/asm/audit32.h @@ -0,0 +1,12 @@ +#ifndef __ASM_AUDIT32_H +#define __ASM_AUDIT32_H + +extern unsigned aarch32_dir_class[]; +extern unsigned aarch32_read_class[]; +extern unsigned aarch32_write_class[]; +extern unsigned aarch32_chattr_class[]; +extern unsigned aarch32_signal_class[]; + +extern int aarch32_classify_syscall(unsigned); + +#endif /* __ASM_AUDIT32_H */ diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h index 58125bf..fdf5e56 100644 --- a/arch/arm64/include/asm/unistd32.h +++ b/arch/arm64/include/asm/unistd32.h @@ -21,6 +21,393 @@ #define __SYSCALL(x, y) #endif
+#ifdef __AARCH32_AUDITSYSCALL +/* + * FIXME: Currenty only audit uses (part of) these definitions. + * See audit32.c + */ +#define __NR_restart_syscall 0 +#define __NR_exit 1 +#define __NR_fork 2 +#define __NR_read 3 +#define __NR_write 4 +#define __NR_open 5 +#define __NR_close 6 +/* 7 was waitpid */ +#define __NR_creat 8 +#define __NR_link 9 +#define __NR_unlink 10 +#define __NR_execve 11 +#define __NR_chdir 12 +/* #define __NR_ni_syscall 13 :time */ +#define __NR_mknod 14 +#define __NR_chmod 15 +#define __NR_lchown16 16 +/* 17 was break */ +/* 18 was stat */ +#define __NR_lseek 19 +#define __NR_getpid 20 +#define __NR_mount 21 +/* #define __NR_ni_syscall 22 :umount */ +#define __NR_setuid16 23 +#define __NR_getuid16 24 +/* #define __NR_ni_syscall 25 :stime */ +#define __NR_ptrace 26 +/* #define __NR_ni_syscall 27 :alarm */ +/* 28 was fstat */ +#define __NR_pause 29 +/* #define __NR_ni_syscall 30 :utime */ +/* 31 was stty */ +/* 32 was gtty */ +#define __NR_access 33 +#define __NR_nice 34 +/* 35 was ftime */ +#define __NR_sync 36 +#define __NR_kill 37 +#define __NR_rename 38 +#define __NR_mkdir 39 +#define __NR_rmdir 40 +#define __NR_dup 41 +#define __NR_pipe 42 +#define __NR_times 43 +/* 44 was prof */ +#define __NR_brk 45 +#define __NR_setgid16 46 +#define __NR_getgid16 47 +/* 48 was signal */ +#define __NR_geteuid16 49 +#define __NR_getegid16 50 +#define __NR_acct 51 +#define __NR_umount 52 +/* 53 was lock */ +#define __NR_ioctl 54 +#define __NR_fcntl 55 +/* 56 was mpx */ +#define __NR_setpgid 57 +/* 58 was ulimit */ +/* 59 was olduname */ +#define __NR_umask 60 +#define __NR_chroot 61 +#define __NR_ustat 62 +#define __NR_dup2 63 +#define __NR_getppid 64 +#define __NR_getpgrp 65 +#define __NR_setsid 66 +#define __NR_sigaction 67 +/* 68 was sgetmask */ +/* 69 was ssetmask */ +#define __NR_setreuid16 70 +#define __NR_setregid16 71 +#define __NR_sigsuspend 72 +#define __NR_sigpending 73 +#define __NR_sethostname 74 +#define __NR_setrlimit 75 +/* #define __NR_ni_syscall 76 :getrlimit */ +#define __NR_getrusage 77 +#define __NR_gettimeofday 78 +#define __NR_settimeofday 79 +#define __NR_getgroups16 80 +#define __NR_setgroups16 81 +/* #define __NR_ni_syscall 82 :select */ +#define __NR_symlink 83 +/* 84 was lstat */ +#define __NR_readlink 85 +#define __NR_uselib 86 +#define __NR_swapon 87 +#define __NR_reboot 88 +/* #define __NR_ni_syscall 89 :readdir */ +/* #define __NR_ni_syscall 90 :mmap */ +#define __NR_munmap 91 +#define __NR_truncate 92 +#define __NR_ftruncate 93 +#define __NR_fchmod 94 +#define __NR_fchown16 95 +#define __NR_getpriority 96 +#define __NR_setpriority 97 +/* 98 was profil */ +#define __NR_statfs 99 +#define __NR_fstatfs 100 +/* 101 was ioperm */ +/* 102 was socketcall */ +#define __NR_syslog 103 +#define __NR_setitimer 104 +#define __NR_getitimer 105 +#define __NR_newstat 106 +#define __NR_newlstat 107 +#define __NR_newfstat 108 +/* 109 was uname */ +/* 110 was iopl */ +#define __NR_vhangup 111 +/* 112 was idle */ +/* #define __NR_ni_syscall 113 :syscall */ +#define __NR_wait4 114 +#define __NR_swapoff 115 +#define __NR_sysinfo 116 +/* #define __NR_ni_syscall 117 :ipc */ +#define __NR_fsync 118 +#define __NR_sigreturn 119 +#define __NR_clone 120 +#define __NR_setdomainname 121 +#define __NR_newuname 122 +/* 123 was modify_ldt */ +#define __NR_adjtimex 124 +#define __NR_mprotect 125 +#define __NR_sigprocmask 126 +/* 127 was create_module */ +#define __NR_init_module 128 +#define __NR_delete_module 129 +/* 130 was get_kernel_syms */ +#define __NR_quotactl 131 +#define __NR_getpgid 132 +#define __NR_fchdir 133 +#define __NR_bdflush 134 +#define __NR_sysfs 135 +#define __NR_personality 136 +/* 137 was afs_syscall */ +#define __NR_setfsuid16 138 +#define __NR_setfsgid16 139 +#define __NR_llseek 140 +#define __NR_getdents 141 +#define __NR_select 142 +#define __NR_flock 143 +#define __NR_msync 144 +#define __NR_readv 145 +#define __NR_writev 146 +#define __NR_getsid 147 +#define __NR_fdatasync 148 +#define __NR_sysctl 149 +#define __NR_mlock 150 +#define __NR_munlock 151 +#define __NR_mlockall 152 +#define __NR_munlockall 153 +#define __NR_sched_setparam 154 +#define __NR_sched_getparam 155 +#define __NR_sched_setscheduler 156 +#define __NR_sched_getscheduler 157 +#define __NR_sched_yield 158 +#define __NR_sched_get_priority_max 159 +#define __NR_sched_get_priority_min 160 +#define __NR_sched_rr_get_interval 161 +#define __NR_nanosleep 162 +#define __NR_mremap 163 +#define __NR_setresuid16 164 +#define __NR_getresuid16 165 +/* 166 was vm86 */ +/* 167 was query_module */ +#define __NR_poll 168 +/* #define __NR_ni_syscall 169 :nfsservctl */ +#define __NR_setresgid16 170 +#define __NR_getresgid16 171 +#define __NR_prctl 172 +#define __NR_rt_sigreturn 173 +#define __NR_rt_sigaction 174 +#define __NR_rt_sigprocmask 175 +#define __NR_rt_sigpending 176 +#define __NR_rt_sigtimedwait 177 +#define __NR_rt_sigqueueinfo 178 +#define __NR_rt_sigsuspend 179 +#define __NR_pread64 180 +#define __NR_pwrite64 181 +#define __NR_chown16 182 +#define __NR_getcwd 183 +#define __NR_capget 184 +#define __NR_capset 185 +#define __NR_sigaltstack 186 +#define __NR_sendfile 187 +/* 188 reserved */ +/* 189 reserved */ +#define __NR_vfork 190 +#define __NR_getrlimit 191 +#define __NR_mmap_pgoff 192 +#define __NR_truncate64 193 +#define __NR_ftruncate64 194 +#define __NR_stat64 195 +#define __NR_lstat64 196 +#define __NR_fstat64 197 +#define __NR_lchown 198 +#define __NR_getuid 199 +#define __NR_getgid 200 +#define __NR_geteuid 201 +#define __NR_getegid 202 +#define __NR_setreuid 203 +#define __NR_setregid 204 +#define __NR_getgroups 205 +#define __NR_setgroups 206 +#define __NR_fchown 207 +#define __NR_setresuid 208 +#define __NR_getresuid 209 +#define __NR_setresgid 210 +#define __NR_getresgid 211 +#define __NR_chown 212 +#define __NR_setuid 213 +#define __NR_setgid 214 +#define __NR_setfsuid 215 +#define __NR_setfsgid 216 +#define __NR_getdents64 217 +#define __NR_pivot_root 218 +#define __NR_mincore 219 +#define __NR_madvise 220 +#define __NR_fcntl64 221 +/* 222 was tux */ +/* 223 reserved */ +#define __NR_gettid 224 +#define __NR_readahead 225 +#define __NR_setxattr 226 +#define __NR_lsetxattr 227 +#define __NR_fsetxattr 228 +#define __NR_getxattr 229 +#define __NR_lgetxattr 230 +#define __NR_fgetxattr 231 +#define __NR_listxattr 232 +#define __NR_llistxattr 233 +#define __NR_flistxattr 234 +#define __NR_removexattr 235 +#define __NR_lremovexattr 236 +#define __NR_fremovexattr 237 +#define __NR_tkill 238 +#define __NR_sendfile64 239 +#define __NR_futex 240 +#define __NR_sched_setaffinity 241 +#define __NR_sched_getaffinity 242 +#define __NR_io_setup 243 +#define __NR_io_destroy 244 +#define __NR_io_getevents 245 +#define __NR_io_submit 246 +#define __NR_io_cancel 247 +#define __NR_exit_group 248 +#define __NR_lookup_dcookie 249 +#define __NR_epoll_create 250 +#define __NR_epoll_ctl 251 +#define __NR_epoll_wait 252 +#define __NR_remap_file_pages 253 +/* 254 was set_thread_area */ +/* 255 was get_thread_area */ +#define __NR_set_tid_address 256 +#define __NR_timer_create 257 +#define __NR_timer_settime 258 +#define __NR_timer_gettime 259 +#define __NR_timer_getoverrun 260 +#define __NR_timer_delete 261 +#define __NR_clock_settime 262 +#define __NR_clock_gettime 263 +#define __NR_clock_getres 264 +#define __NR_clock_nanosleep 265 +#define __NR_statfs64 266 +#define __NR_fstatfs64 267 +#define __NR_tgkill 268 +#define __NR_utimes 269 +#define __NR_fadvise64_64 270 +#define __NR_pciconfig_iobase 271 +#define __NR_pciconfig_read 272 +#define __NR_pciconfig_write 273 +#define __NR_mq_open 274 +#define __NR_mq_unlink 275 +#define __NR_mq_timedsend 276 +#define __NR_mq_timedreceive 277 +#define __NR_mq_notify 278 +#define __NR_mq_getsetattr 279 +#define __NR_waitid 280 +#define __NR_socket 281 +#define __NR_bind 282 +#define __NR_connect 283 +#define __NR_listen 284 +#define __NR_accept 285 +#define __NR_getsockname 286 +#define __NR_getpeername 287 +#define __NR_socketpair 288 +#define __NR_send 289 +#define __NR_sendto 290 +#define __NR_recv 291 +#define __NR_recvfrom 292 +#define __NR_shutdown 293 +#define __NR_setsockopt 294 +#define __NR_getsockopt 295 +#define __NR_sendmsg 296 +#define __NR_recvmsg 297 +#define __NR_semop 298 +#define __NR_semget 299 +#define __NR_semctl 300 +#define __NR_msgsnd 301 +#define __NR_msgrcv 302 +#define __NR_msgget 303 +#define __NR_msgctl 304 +#define __NR_shmat 305 +#define __NR_shmdt 306 +#define __NR_shmget 307 +#define __NR_shmctl 308 +#define __NR_add_key 309 +#define __NR_request_key 310 +#define __NR_keyctl 311 +#define __NR_semtimedop 312 +/* #define __NR_ni_syscall 313 :vserver */ +#define __NR_ioprio_set 314 +#define __NR_ioprio_get 315 +#define __NR_inotify_init 316 +#define __NR_inotify_add_watch 317 +#define __NR_inotify_rm_watch 318 +#define __NR_mbind 319 +#define __NR_get_mempolicy 320 +#define __NR_set_mempolicy 321 +#define __NR_openat 322 +#define __NR_mkdirat 323 +#define __NR_mknodat 324 +#define __NR_fchownat 325 +#define __NR_futimesat 326 +#define __NR_fstatat64 327 +#define __NR_unlinkat 328 +#define __NR_renameat 329 +#define __NR_linkat 330 +#define __NR_symlinkat 331 +#define __NR_readlinkat 332 +#define __NR_fchmodat 333 +#define __NR_faccessat 334 +#define __NR_pselect6 335 +#define __NR_ppoll 336 +#define __NR_unshare 337 +#define __NR_set_robust_list 338 +#define __NR_get_robust_list 339 +#define __NR_splice 340 +#define __NR_sync_file_range2 341 +#define __NR_tee 342 +#define __NR_vmsplice 343 +#define __NR_move_pages 344 +#define __NR_getcpu 345 +#define __NR_epoll_pwait 346 +#define __NR_kexec_load 347 +#define __NR_utimensat 348 +#define __NR_signalfd 349 +#define __NR_timerfd_create 350 +#define __NR_eventfd 351 +#define __NR_fallocate 352 +#define __NR_timerfd_settime 353 +#define __NR_timerfd_gettime 354 +#define __NR_signalfd4 355 +#define __NR_eventfd2 356 +#define __NR_epoll_create1 357 +#define __NR_dup3 358 +#define __NR_pipe2 359 +#define __NR_inotify_init1 360 +#define __NR_preadv 361 +#define __NR_pwritev 362 +#define __NR_rt_tgsigqueueinfo 363 +#define __NR_perf_event_open 364 +#define __NR_recvmmsg 365 +#define __NR_accept4 366 +#define __NR_fanotify_init 367 +#define __NR_fanotify_mark 368 +#define __NR_prlimit64 369 +#define __NR_name_to_handle_at 370 +#define __NR_open_by_handle_at 371 +#define __NR_clock_adjtime 372 +#define __NR_syncfs 373 +#define __NR_sendmmsg 374 +#define __NR_setns 375 +#define __NR_process_vm_readv 376 +#define __NR_process_vm_writev 377 +/* 378 was kcmp */ +/* 389 was finit_module */ +#endif + __SYSCALL(0, sys_restart_syscall) __SYSCALL(1, sys_exit) __SYSCALL(2, sys_fork) diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile index 3abab29..0286b91 100644 --- a/arch/arm64/kernel/Makefile +++ b/arch/arm64/kernel/Makefile @@ -12,6 +12,9 @@ arm64-obj-y := cputable.o debug-monitors.o entry.o irq.o fpsimd.o \ hyp-stub.o psci.o
arm64-obj-$(CONFIG_AUDIT) += audit.o +ifeq ($(CONFIG_COMPAT),y) +arm64-obj-$(CONFIG_AUDIT) += audit32.o +endif arm64-obj-$(CONFIG_COMPAT) += sys32.o kuser32.o signal32.o \ sys_compat.o arm64-obj-$(CONFIG_MODULES) += arm64ksyms.o module.o diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c index 9aab2b3..799eb55 100644 --- a/arch/arm64/kernel/audit.c +++ b/arch/arm64/kernel/audit.c @@ -1,5 +1,8 @@ #include <linux/audit.h> #include <linux/init.h> +#ifdef CONFIG_COMPAT +#include <asm/audit32.h> +#endif #include <asm/unistd.h>
static unsigned dir_class[] = { @@ -29,12 +32,20 @@ static unsigned signal_class[] = {
int audit_classify_arch(int arch) { +#ifdef CONFIG_COMPAT + if (arch == AUDIT_ARCH_ARM || arch == AUDIT_ARCH_ARMEB) + return 1; /* 32-bit on biarch */ +#endif return 0; /* native */ }
/* AUTH_PERM support */ int audit_classify_syscall(int abi, unsigned syscall) { +#ifdef CONFIG_COMPAT + if (abi == AUDIT_ARCH_ARM || abi == AUDIT_ARCH_ARMEB) + return aarch32_classify_syscall(syscall); +#endif switch(syscall) { case __NR_openat: return 3; @@ -47,6 +58,13 @@ int audit_classify_syscall(int abi, unsigned syscall)
static int __init audit_classes_init(void) { +#ifdef CONFIG_COMPAT + audit_register_class(AUDIT_CLASS_DIR_WRITE_32, aarch32_dir_class); + audit_register_class(AUDIT_CLASS_READ_32, aarch32_read_class); + audit_register_class(AUDIT_CLASS_WRITE_32, aarch32_write_class); + audit_register_class(AUDIT_CLASS_CHATTR_32, aarch32_chattr_class); + audit_register_class(AUDIT_CLASS_SIGNAL_32, aarch32_signal_class); +#endif audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class); audit_register_class(AUDIT_CLASS_READ, read_class); audit_register_class(AUDIT_CLASS_WRITE, write_class); diff --git a/arch/arm64/kernel/audit32.c b/arch/arm64/kernel/audit32.c new file mode 100644 index 0000000..2aa4d7d --- /dev/null +++ b/arch/arm64/kernel/audit32.c @@ -0,0 +1,46 @@ +#define __AARCH32_AUDITSYSCALL +#include <asm/unistd32.h> + +unsigned aarch32_dir_class[] = { +#include <asm-generic/audit_dir_write.h> +~0U +}; + +unsigned aarch32_read_class[] = { +#include <asm-generic/audit_read.h> +~0U +}; + +unsigned aarch32_write_class[] = { +#include <asm-generic/audit_write.h> +~0U +}; + +unsigned aarch32_chattr_class[] = { +#include <asm-generic/audit_change_attr.h> +~0U +}; + +unsigned aarch32_signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +}; + +int aarch32_classify_syscall(unsigned syscall) +{ + switch(syscall) { + case __NR_open: + return 2; + case __NR_openat: + return 3; + /* + * obsolute in EABI + * case __NR_socketcall: + * return 4; + */ + case __NR_execve: + return 5; + default: + return 1; /* 32-bit on biarch */ + } +}
On Wed, Nov 06, 2013 at 10:25:45AM +0000, AKASHI Takahiro wrote:
arch/arm64/include/asm/audit32.h | 12 ++ arch/arm64/include/asm/unistd32.h | 387 +++++++++++++++++++++++++++++++++++++ arch/arm64/kernel/Makefile | 3 + arch/arm64/kernel/audit.c | 18 ++ arch/arm64/kernel/audit32.c | 46 +++++ 5 files changed, 466 insertions(+) create mode 100644 arch/arm64/include/asm/audit32.h create mode 100644 arch/arm64/kernel/audit32.c
diff --git a/arch/arm64/include/asm/audit32.h b/arch/arm64/include/asm/audit32.h new file mode 100644 index 0000000..debfe57 --- /dev/null +++ b/arch/arm64/include/asm/audit32.h @@ -0,0 +1,12 @@ +#ifndef __ASM_AUDIT32_H +#define __ASM_AUDIT32_H
+extern unsigned aarch32_dir_class[]; +extern unsigned aarch32_read_class[]; +extern unsigned aarch32_write_class[]; +extern unsigned aarch32_chattr_class[]; +extern unsigned aarch32_signal_class[];
+extern int aarch32_classify_syscall(unsigned);
+#endif /* __ASM_AUDIT32_H */ diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h index 58125bf..fdf5e56 100644 --- a/arch/arm64/include/asm/unistd32.h +++ b/arch/arm64/include/asm/unistd32.h @@ -21,6 +21,393 @@ #define __SYSCALL(x, y) #endif
+#ifdef __AARCH32_AUDITSYSCALL +/*
- FIXME: Currenty only audit uses (part of) these definitions.
- See audit32.c
- */
+#define __NR_restart_syscall 0 +#define __NR_exit 1 +#define __NR_fork 2 +#define __NR_read 3
Don't bother with this file. It's a needless replication of data already in the file and you don't even need it all.
diff --git a/arch/arm64/kernel/audit32.c b/arch/arm64/kernel/audit32.c new file mode 100644 index 0000000..2aa4d7d --- /dev/null +++ b/arch/arm64/kernel/audit32.c @@ -0,0 +1,46 @@ +#define __AARCH32_AUDITSYSCALL +#include <asm/unistd32.h>
+unsigned aarch32_dir_class[] = { +#include <asm-generic/audit_dir_write.h> +~0U +};
+unsigned aarch32_read_class[] = { +#include <asm-generic/audit_read.h> +~0U +};
+unsigned aarch32_write_class[] = { +#include <asm-generic/audit_write.h> +~0U +};
+unsigned aarch32_chattr_class[] = { +#include <asm-generic/audit_change_attr.h> +~0U +};
+unsigned aarch32_signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +};
+int aarch32_classify_syscall(unsigned syscall) +{
switch(syscall) {case __NR_open:return 2;case __NR_openat:return 3;/** obsolute in EABI* case __NR_socketcall:* return 4;*/case __NR_execve:return 5;default:return 1; /* 32-bit on biarch */}
Instead, just add __NR_compat_{open,openat,execve}, like we have done for the signal-related syscalls.
Also, can't the generic lib/audit.c be reworked to work with compat too?
Will
On 11/08/2013 11:55 PM, Will Deacon wrote:
On Wed, Nov 06, 2013 at 10:25:45AM +0000, AKASHI Takahiro wrote:
arch/arm64/include/asm/audit32.h | 12 ++ arch/arm64/include/asm/unistd32.h | 387 +++++++++++++++++++++++++++++++++++++ arch/arm64/kernel/Makefile | 3 + arch/arm64/kernel/audit.c | 18 ++ arch/arm64/kernel/audit32.c | 46 +++++ 5 files changed, 466 insertions(+) create mode 100644 arch/arm64/include/asm/audit32.h create mode 100644 arch/arm64/kernel/audit32.c
diff --git a/arch/arm64/include/asm/audit32.h b/arch/arm64/include/asm/audit32.h new file mode 100644 index 0000000..debfe57 --- /dev/null +++ b/arch/arm64/include/asm/audit32.h @@ -0,0 +1,12 @@ +#ifndef __ASM_AUDIT32_H +#define __ASM_AUDIT32_H
+extern unsigned aarch32_dir_class[]; +extern unsigned aarch32_read_class[]; +extern unsigned aarch32_write_class[]; +extern unsigned aarch32_chattr_class[]; +extern unsigned aarch32_signal_class[];
+extern int aarch32_classify_syscall(unsigned);
+#endif /* __ASM_AUDIT32_H */ diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h index 58125bf..fdf5e56 100644 --- a/arch/arm64/include/asm/unistd32.h +++ b/arch/arm64/include/asm/unistd32.h @@ -21,6 +21,393 @@ #define __SYSCALL(x, y) #endif
+#ifdef __AARCH32_AUDITSYSCALL +/*
- FIXME: Currenty only audit uses (part of) these definitions.
- See audit32.c
- */
+#define __NR_restart_syscall 0 +#define __NR_exit 1 +#define __NR_fork 2 +#define __NR_read 3
Don't bother with this file. It's a needless replication of data already in the file and you don't even need it all.
Unfortunately, I need them not only for aarch32_classify_syscall(), but also in asm-generic/audit_*.h. Actually 47 of __NR_xxx are referred to in those files. The problem is that aarch64 and aarch32 have different system call numbers, but that there are no __NR_xxx definitions for aarch32 in asm/unistd32.h.
diff --git a/arch/arm64/kernel/audit32.c b/arch/arm64/kernel/audit32.c new file mode 100644 index 0000000..2aa4d7d --- /dev/null +++ b/arch/arm64/kernel/audit32.c @@ -0,0 +1,46 @@ +#define __AARCH32_AUDITSYSCALL +#include <asm/unistd32.h>
+unsigned aarch32_dir_class[] = { +#include <asm-generic/audit_dir_write.h> +~0U +};
+unsigned aarch32_read_class[] = { +#include <asm-generic/audit_read.h> +~0U +};
+unsigned aarch32_write_class[] = { +#include <asm-generic/audit_write.h> +~0U +};
+unsigned aarch32_chattr_class[] = { +#include <asm-generic/audit_change_attr.h> +~0U +};
+unsigned aarch32_signal_class[] = { +#include <asm-generic/audit_signal.h> +~0U +};
+int aarch32_classify_syscall(unsigned syscall) +{
switch(syscall) {case __NR_open:return 2;case __NR_openat:return 3;/** obsolute in EABI* case __NR_socketcall:* return 4;*/case __NR_execve:return 5;default:return 1; /* 32-bit on biarch */}Instead, just add __NR_compat_{open,openat,execve}, like we have done for the signal-related syscalls.
As far as xxx_classify_syscall is concerned, it is possible to change the code to use __NR_compat_..., but it is difficult to remove __NR_... from unistd32.h because, as I mentioned above, asm-generic/audit_xxx.h use __NR_...
Also, can't the generic lib/audit.c be reworked to work with compat too?
I hope so, but don't think re-work is practical unless we have generic solution against this issue. (In addition, other architectures already have their own implementation.)
-Takahiro AKASHI
Will
--- arch/arm64/include/asm/thread_info.h | 1 + arch/arm64/kernel/entry.S | 3 +++ arch/arm64/kernel/ptrace.c | 12 ++++++++++++ 3 files changed, 16 insertions(+)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 23a3c47..782097a 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -107,6 +107,7 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 3881fd1..5bf1bdf 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -646,6 +646,9 @@ el0_svc_naked: // compat entry point get_thread_info tsk ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? +#ifdef CONFIG_AUDITSYSCALL + tbnz x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls? +#endif adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index fecdbf7..7cdfa76 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1066,6 +1068,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
+#ifdef CONFIG_AUDITSYSCALL + if (dir) + audit_syscall_exit(regs); + else + audit_syscall_entry(syscall_get_arch(current, regs), + regs->syscallno, + regs->regs[0], regs->regs[1], + regs->regs[2], regs->regs[3]); +#endif /* CONFIG_AUDITSYSCALL */ + if (!test_thread_flag(TIF_SYSCALL_TRACE)) return regs->syscallno;
On Wed, Nov 06, 2013 at 10:25:42AM +0000, AKASHI Takahiro wrote:
This patchset adds audit support on arm64. The implementation is just like in other architectures, and so I think little explanation is needed.
That doesn't mean you can just omit the commit messages!
I'd like to discuss about the following issues: (issues)
- AUDIT_ARCH_* Why do we need to distiguish big-endian and little-endian? [2/4]
We don't. This is only the case if the syscall ABIs differ between them (for AArch32, people mistakenly thought __ARMEB__ was related to AEABI.
- Userspace audit package There are some missing syscall definitions in lib/aarch64_table.h. There is no support for AUDIT_ARCH_ARM (I mean LE. armeb is BE).
I did post something over a year ago... did it not get picked up?
http://permalink.gmane.org/gmane.linux.ports.arm.kernel/165266
Will
On 11/08/2013 11:34 PM, Will Deacon wrote:
On Wed, Nov 06, 2013 at 10:25:42AM +0000, AKASHI Takahiro wrote:
This patchset adds audit support on arm64. The implementation is just like in other architectures, and so I think little explanation is needed.
That doesn't mean you can just omit the commit messages!
I will include some commit messages in the next version.
I'd like to discuss about the following issues: (issues)
- AUDIT_ARCH_* Why do we need to distiguish big-endian and little-endian? [2/4]
We don't. This is only the case if the syscall ABIs differ between them (for AArch32, people mistakenly thought __ARMEB__ was related to AEABI.
I guessed so, but ...
- Userspace audit package There are some missing syscall definitions in lib/aarch64_table.h. There is no support for AUDIT_ARCH_ARM (I mean LE. armeb is BE).
I did post something over a year ago... did it not get picked up?
http://permalink.gmane.org/gmane.linux.ports.arm.kernel/165266
Sounds great, but the reality is that AUDIT_ARCH_ARMEB is still used in the latest v2.3.2, and due to this, ausearch cannot pretty-print the architecture name in the audit log for LE.
I will ask this in linux-audit ML.
-Takahiro AKASHI
Will
This patchset adds system call audit support on arm64. Both 32-bit (AUIDT_ARCH_ARM[EB]) and 64-bit tasks (AUDIT_ARCH_AARCH64[EB]) are supported, but presuming 32-LE on 64-LE or 32-BE on 64-BE.
There are some prerequisites for this patch to work correctly: * "generic compat system call audit support" patch * "correct a type mismatch in audit_syscall_exit()" patch (already accepted and queued in 3.14) * "Modify a set of system calls in audit class" patch * userspace audit tool (v2.3.2 + my patch for arm64)
All those were already or will be soon posted separately. Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways: 1) basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
2) audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v1 -> v2: * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h. * Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6] * Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
AKASHI Takahiro (6): audit: Enable arm64 support arm64: Add regs_return_value() in syscall.h arm64: Add audit support arm64: audit: Add 32-bit (compat) syscall support arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls arm64: audit: Add audit hook in ptrace/syscall_trace
arch/arm64/Makefile | 4 ++++ arch/arm64/include/asm/audit.h | 20 ++++++++++++++++++++ arch/arm64/include/asm/ptrace.h | 5 +++++ arch/arm64/include/asm/syscall.h | 22 ++++++++++++++++++++++ arch/arm64/include/asm/thread_info.h | 1 + arch/arm64/kernel/entry.S | 3 +++ arch/arm64/kernel/ptrace.c | 12 ++++++++++++ arch/arm64/kernel/syscalls/Makefile | 20 ++++++++++++++++++++ include/uapi/linux/audit.h | 2 ++ init/Kconfig | 2 +- 10 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 arch/arm64/include/asm/audit.h create mode 100644 arch/arm64/kernel/syscalls/Makefile
This patch adds AUDIT_ARCH_* identifiers for arm64(AArch64), and makes CONFIG_AUDITSYSCALL selectable.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- include/uapi/linux/audit.h | 2 ++ init/Kconfig | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 44b05a0..e39635b 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -327,6 +327,8 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) diff --git a/init/Kconfig b/init/Kconfig index 79383d3..3aae602 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -284,7 +284,7 @@ config AUDIT
config AUDITSYSCALL bool "Enable system-call auditing support" - depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT)) + depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64) default y if SECURITY_SELINUX help Enable low-overhead system-call auditing infrastructure that
On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
--- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -327,6 +327,8 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) diff --git a/init/Kconfig b/init/Kconfig index 79383d3..3aae602 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -284,7 +284,7 @@ config AUDIT config AUDITSYSCALL bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
The usual comment for such changes: could you please clean this up and just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
[To audit maintainers]
On 01/23/2014 11:18 PM, Catalin Marinas wrote:
On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
--- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -327,6 +327,8 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) diff --git a/init/Kconfig b/init/Kconfig index 79383d3..3aae602 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -284,7 +284,7 @@ config AUDIT
config AUDITSYSCALL bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
The usual comment for such changes: could you please clean this up and just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
Do you agree to this change?
If so, I can create a patch, but have some concerns: 1) I can't verify it on other architectures than (arm &) arm64. 2) Some architectures (microblaze, mips, openrisc) are not listed here, but their ptrace.c have a call to audit_syscall_entry/exit(). (audit_syscall_entry/exit are null if !AUDITSYSCALL, though) So I'm afraid that the change might break someone's assumption.
Thanks, -Takahiro AKASHI
On Mon, Jan 27, 2014 at 05:12:33AM +0000, AKASHI Takahiro wrote:
[To audit maintainers]
On 01/23/2014 11:18 PM, Catalin Marinas wrote:
On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
--- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -327,6 +327,8 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) diff --git a/init/Kconfig b/init/Kconfig index 79383d3..3aae602 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -284,7 +284,7 @@ config AUDIT
config AUDITSYSCALL bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
The usual comment for such changes: could you please clean this up and just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
Do you agree to this change?
If so, I can create a patch, but have some concerns:
- I can't verify it on other architectures than (arm &) arm64.
You could try to build. It's really a trivial change, could get away with code inspection (and some automatic building when it gets to linux-next).
In init/Kconfig:
config HAVE_ARCH_AUDITSYSCALL bool
and:
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT)) + depends on HAVE_ARCH_AUDITSYSCALL
In the corresponding arch/*/Kconfig:
select HAVE_ARCH_AUDITSYSCALL
- Some architectures (microblaze, mips, openrisc) are not listed here, but
For those, you don't need to select HAVE_ARCH_AUDITSYSCALL.
their ptrace.c have a call to audit_syscall_entry/exit(). (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
They are not NULL but empty inline functions, so they don't have any effect.
So I'm afraid that the change might break someone's assumption.
I'm pretty sure it won't ;).
On 14/01/27, AKASHI Takahiro wrote:
[To audit maintainers]
On 01/23/2014 11:18 PM, Catalin Marinas wrote:
On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
--- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -327,6 +327,8 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) diff --git a/init/Kconfig b/init/Kconfig index 79383d3..3aae602 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -284,7 +284,7 @@ config AUDIT
config AUDITSYSCALL bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
The usual comment for such changes: could you please clean this up and just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
Do you agree to this change?
If so, I can create a patch, but have some concerns:
- I can't verify it on other architectures than (arm &) arm64.
- Some architectures (microblaze, mips, openrisc) are not listed here, but their ptrace.c have a call to audit_syscall_entry/exit(). (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
I can try: ppc s390 x86_64 ppc64 i686 s390x
So I'm afraid that the change might break someone's assumption.
Thanks, -Takahiro AKASHI
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On 14/01/29, Richard Guy Briggs wrote:
On 14/01/27, AKASHI Takahiro wrote:
[To audit maintainers]
On 01/23/2014 11:18 PM, Catalin Marinas wrote:
On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
--- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -327,6 +327,8 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) diff --git a/init/Kconfig b/init/Kconfig index 79383d3..3aae602 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -284,7 +284,7 @@ config AUDIT
config AUDITSYSCALL bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
The usual comment for such changes: could you please clean this up and just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
Do you agree to this change?
If so, I can create a patch, but have some concerns:
- I can't verify it on other architectures than (arm &) arm64.
- Some architectures (microblaze, mips, openrisc) are not listed here, but their ptrace.c have a call to audit_syscall_entry/exit(). (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
I can try: ppc s390 x86_64 ppc64 i686 s390x
These arches above all pass compile and basic tests with the following patches applied:
audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
audit: Modify a set of system calls in audit class definitions (already upstream)
[PATCH v3] audit: Add generic compat syscall support
[PATCH v2] audit: Enable arm64 support [PATCH v2] arm64: Add regs_return_value() in syscall.h [PATCH v2] arm64: Add audit support [PATCH v2] arm64: audit: Add 32-bit (compat) syscall support [PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls [PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace
So I'm afraid that the change might break someone's assumption.
Thanks, -Takahiro AKASHI
- RGB
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
Richard,
On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
On 14/01/29, Richard Guy Briggs wrote:
On 14/01/27, AKASHI Takahiro wrote:
[To audit maintainers]
On 01/23/2014 11:18 PM, Catalin Marinas wrote:
On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
--- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -327,6 +327,8 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) diff --git a/init/Kconfig b/init/Kconfig index 79383d3..3aae602 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -284,7 +284,7 @@ config AUDIT
config AUDITSYSCALL bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
The usual comment for such changes: could you please clean this up and just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
Do you agree to this change?
If so, I can create a patch, but have some concerns:
- I can't verify it on other architectures than (arm &) arm64.
- Some architectures (microblaze, mips, openrisc) are not listed here, but their ptrace.c have a call to audit_syscall_entry/exit(). (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
I can try: ppc s390 x86_64 ppc64 i686 s390x
These arches above all pass compile and basic tests with the following patches applied:
audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
audit: Modify a set of system calls in audit class definitions (already upstream)
[PATCH v3] audit: Add generic compat syscall support
[PATCH v2] audit: Enable arm64 support [PATCH v2] arm64: Add regs_return_value() in syscall.h [PATCH v2] arm64: Add audit support [PATCH v2] arm64: audit: Add 32-bit (compat) syscall support [PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls [PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace
I think that you missed Catalin's suggestion. Please use the patch I will post after this message and try it again, please?
Thanks, -Takahiro AKASHI
So I'm afraid that the change might break someone's assumption.
Thanks, -Takahiro AKASHI
- RGB
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On 14/02/03, AKASHI Takahiro wrote:
Richard,
Takahiro,
On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
On 14/01/29, Richard Guy Briggs wrote:
On 14/01/27, AKASHI Takahiro wrote:
[To audit maintainers]
On 01/23/2014 11:18 PM, Catalin Marinas wrote:
On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
--- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -327,6 +327,8 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM) diff --git a/init/Kconfig b/init/Kconfig index 79383d3..3aae602 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -284,7 +284,7 @@ config AUDIT
config AUDITSYSCALL bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
The usual comment for such changes: could you please clean this up and just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
Do you agree to this change?
If so, I can create a patch, but have some concerns:
- I can't verify it on other architectures than (arm &) arm64.
- Some architectures (microblaze, mips, openrisc) are not listed here, but their ptrace.c have a call to audit_syscall_entry/exit(). (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
I can try: ppc s390 x86_64 ppc64 i686 s390x
These arches above all pass compile and basic tests with the following patches applied:
audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
audit: Modify a set of system calls in audit class definitions (already upstream)
[PATCH v3] audit: Add generic compat syscall support
[PATCH v2] audit: Enable arm64 support [PATCH v2] arm64: Add regs_return_value() in syscall.h [PATCH v2] arm64: Add audit support [PATCH v2] arm64: audit: Add 32-bit (compat) syscall support [PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls [PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace
I think that you missed Catalin's suggestion.
I didn't miss his suggestions. I think they are a good way to go, but I wanted to make a test at referrable point in time to validate the work to that point and to avoid introducing errors by mis-interpreting ideas that were not yet fully-formed patches.
Please use the patch I will post after this message and try it again, please?
I was certainly intending to do so.
Thanks, -Takahiro AKASHI
So I'm afraid that the change might break someone's assumption.
Thanks, -Takahiro AKASHI
- RGB
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On 14/02/03, Richard Guy Briggs wrote:
On 14/02/03, AKASHI Takahiro wrote:
Richard,
Takahiro,
Takahiro,
On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
On 14/01/29, Richard Guy Briggs wrote:
On 14/01/27, AKASHI Takahiro wrote:
[To audit maintainers]
On 01/23/2014 11:18 PM, Catalin Marinas wrote:
On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote: >--- a/include/uapi/linux/audit.h >+++ b/include/uapi/linux/audit.h >@@ -327,6 +327,8 @@ enum { > /* distinguish syscall tables */ > #define __AUDIT_ARCH_64BIT 0x80000000 > #define __AUDIT_ARCH_LE 0x40000000 >+#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) >+#define AUDIT_ARCH_AARCH64EB (EM_AARCH64|__AUDIT_ARCH_64BIT) > #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) > #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) > #define AUDIT_ARCH_ARMEB (EM_ARM) >diff --git a/init/Kconfig b/init/Kconfig >index 79383d3..3aae602 100644 >--- a/init/Kconfig >+++ b/init/Kconfig >@@ -284,7 +284,7 @@ config AUDIT > > config AUDITSYSCALL > bool "Enable system-call auditing support" >- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT)) >+ depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
The usual comment for such changes: could you please clean this up and just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
Do you agree to this change?
If so, I can create a patch, but have some concerns:
- I can't verify it on other architectures than (arm &) arm64.
- Some architectures (microblaze, mips, openrisc) are not listed here, but their ptrace.c have a call to audit_syscall_entry/exit(). (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
I can try: ppc s390 x86_64 ppc64 i686 s390x
These arches above all pass compile and basic tests with the following patches applied:
audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
audit: Modify a set of system calls in audit class definitions (already upstream)
[PATCH v3] audit: Add generic compat syscall support
[PATCH v2] audit: Enable arm64 support [PATCH v2] arm64: Add regs_return_value() in syscall.h [PATCH v2] arm64: Add audit support [PATCH v2] arm64: audit: Add 32-bit (compat) syscall support [PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls [PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace
I think that you missed Catalin's suggestion.
I didn't miss his suggestions. I think they are a good way to go, but I wanted to make a test at referrable point in time to validate the work to that point and to avoid introducing errors by mis-interpreting ideas that were not yet fully-formed patches.
Please use the patch I will post after this message and try it again, please?
I was certainly intending to do so.
I have tested the new sets from Catalin and you and everything passes ok.
Thanks, -Takahiro AKASHI
So I'm afraid that the change might break someone's assumption.
Thanks, -Takahiro AKASHI
- RGB
- RGB
- RGB
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
Currently AUDITSYSCALL has a long list of architecture depencency: depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT)) The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL for simplicity.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/parisc/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/s390/Kconfig | 1 + arch/sh/Kconfig | 1 + arch/sparc/Kconfig | 1 + arch/um/Kconfig.common | 1 + arch/x86/Kconfig | 1 + init/Kconfig | 5 ++++- 10 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index c1f1a7e..cf69f89 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -23,6 +23,7 @@ config ARM select GENERIC_STRNCPY_FROM_USER select GENERIC_STRNLEN_USER select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT) select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL select HAVE_ARCH_KGDB select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT) diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig index 4e4119b..9143d91 100644 --- a/arch/ia64/Kconfig +++ b/arch/ia64/Kconfig @@ -43,6 +43,7 @@ config IA64 select HAVE_MOD_ARCH_SPECIFIC select MODULES_USE_ELF_RELA select ARCH_USE_CMPXCHG_LOCKREF + select HAVE_ARCH_AUDITSYSCALL default y help The Itanium Processor Family is Intel's 64-bit successor to diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig index b5f1858..0821e83 100644 --- a/arch/parisc/Kconfig +++ b/arch/parisc/Kconfig @@ -28,6 +28,7 @@ config PARISC select CLONE_BACKWARDS select TTY # Needed for pdc_cons.c select HAVE_DEBUG_STACKOVERFLOW + select HAVE_ARCH_AUDITSYSCALL
help The PA-RISC microprocessor is designed by Hewlett-Packard and used diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index b44b52c..96627d6 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -139,6 +139,7 @@ config PPC select OLD_SIGACTION if PPC32 select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK + select HAVE_ARCH_AUDITSYSCALL
config GENERIC_CSUM def_bool CPU_LITTLE_ENDIAN diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 1e1a03d..b3b9853 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -103,6 +103,7 @@ config S390 select GENERIC_SMP_IDLE_THREAD select GENERIC_TIME_VSYSCALL select HAVE_ALIGNED_STRUCT_PAGE if SLUB + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL if !MARCH_G5 select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_TRACEHOOK diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig index 9b0979f..675fb7c 100644 --- a/arch/sh/Kconfig +++ b/arch/sh/Kconfig @@ -42,6 +42,7 @@ config SUPERH select MODULES_USE_ELF_RELA select OLD_SIGSUSPEND select OLD_SIGACTION + select HAVE_ARCH_AUDITSYSCALL help The SuperH is a RISC processor targeted for use in embedded systems and consumer electronics; it was also used in the Sega Dreamcast diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig index d4f7a6a..7f7ad7e 100644 --- a/arch/sparc/Kconfig +++ b/arch/sparc/Kconfig @@ -76,6 +76,7 @@ config SPARC64 select ARCH_HAVE_NMI_SAFE_CMPXCHG select HAVE_C_RECORDMCOUNT select NO_BOOTMEM + select HAVE_ARCH_AUDITSYSCALL
config ARCH_DEFCONFIG string diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common index 21ca44c..6915d28 100644 --- a/arch/um/Kconfig.common +++ b/arch/um/Kconfig.common @@ -1,6 +1,7 @@ config UML bool default y + select HAVE_ARCH_AUDITSYSCALL select HAVE_UID16 select GENERIC_IRQ_SHOW select GENERIC_CPU_DEVICES diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index e903c71..6ef682f 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -124,6 +124,7 @@ config X86 select RTC_LIB select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64 + select HAVE_ARCH_AUDITSYSCALL
config INSTRUCTION_DECODER def_bool y diff --git a/init/Kconfig b/init/Kconfig index 79383d3..9fe22d2 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -282,9 +282,12 @@ config AUDIT logging of avc messages output). Does not do system-call auditing without CONFIG_AUDITSYSCALL.
+config HAVE_ARCH_AUDITSYSCALL + bool + config AUDITSYSCALL bool "Enable system-call auditing support" - depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT)) + depends on AUDIT && HAVE_ARCH_AUDITSYSCALL default y if SECURITY_SELINUX help Enable low-overhead system-call auditing infrastructure that
Currently AUDITSYSCALL has a long list of architecture depencency: depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA) The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL for simplicity.
Changes v1 -> v2: * rebased to 3.14-rcX, and so added a change on ALPHA
AKASHI Takahiro (1): audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL
arch/alpha/Kconfig | 1 + arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/parisc/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/s390/Kconfig | 1 + arch/sh/Kconfig | 1 + arch/sparc/Kconfig | 1 + arch/um/Kconfig.common | 1 + arch/x86/Kconfig | 1 + init/Kconfig | 5 ++++- 11 files changed, 14 insertions(+), 1 deletion(-)
Currently AUDITSYSCALL has a long list of architecture depencency: depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA) The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL for simplicity.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/alpha/Kconfig | 1 + arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/parisc/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/s390/Kconfig | 1 + arch/sh/Kconfig | 1 + arch/sparc/Kconfig | 1 + arch/um/Kconfig.common | 1 + arch/x86/Kconfig | 1 + init/Kconfig | 5 ++++- 11 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig index f6c6b34..b7ff9a3 100644 --- a/arch/alpha/Kconfig +++ b/arch/alpha/Kconfig @@ -22,6 +22,7 @@ config ALPHA select GENERIC_SMP_IDLE_THREAD select GENERIC_STRNCPY_FROM_USER select GENERIC_STRNLEN_USER + select HAVE_ARCH_AUDITSYSCALL select HAVE_MOD_ARCH_SPECIFIC select MODULES_USE_ELF_RELA select ODD_RT_SIGACTION diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index e254198..ca79340 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -24,6 +24,7 @@ config ARM select GENERIC_STRNCPY_FROM_USER select GENERIC_STRNLEN_USER select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT) select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL select HAVE_ARCH_KGDB select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT) diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig index 0c8e553..5409bf4 100644 --- a/arch/ia64/Kconfig +++ b/arch/ia64/Kconfig @@ -44,6 +44,7 @@ config IA64 select HAVE_MOD_ARCH_SPECIFIC select MODULES_USE_ELF_RELA select ARCH_USE_CMPXCHG_LOCKREF + select HAVE_ARCH_AUDITSYSCALL default y help The Itanium Processor Family is Intel's 64-bit successor to diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig index bb2a8ec..1faefed 100644 --- a/arch/parisc/Kconfig +++ b/arch/parisc/Kconfig @@ -28,6 +28,7 @@ config PARISC select CLONE_BACKWARDS select TTY # Needed for pdc_cons.c select HAVE_DEBUG_STACKOVERFLOW + select HAVE_ARCH_AUDITSYSCALL
help The PA-RISC microprocessor is designed by Hewlett-Packard and used diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 957bf34..7b3b8fe 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -141,6 +141,7 @@ config PPC select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK select ARCH_USE_CMPXCHG_LOCKREF if PPC64 + select HAVE_ARCH_AUDITSYSCALL
config GENERIC_CSUM def_bool CPU_LITTLE_ENDIAN diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 65a0775..1b58568 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -103,6 +103,7 @@ config S390 select GENERIC_SMP_IDLE_THREAD select GENERIC_TIME_VSYSCALL select HAVE_ALIGNED_STRUCT_PAGE if SLUB + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL if !MARCH_G5 select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_TRACEHOOK diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig index 6357710..4addd87 100644 --- a/arch/sh/Kconfig +++ b/arch/sh/Kconfig @@ -42,6 +42,7 @@ config SUPERH select MODULES_USE_ELF_RELA select OLD_SIGSUSPEND select OLD_SIGACTION + select HAVE_ARCH_AUDITSYSCALL help The SuperH is a RISC processor targeted for use in embedded systems and consumer electronics; it was also used in the Sega Dreamcast diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig index c51efdc..9c74d6b 100644 --- a/arch/sparc/Kconfig +++ b/arch/sparc/Kconfig @@ -77,6 +77,7 @@ config SPARC64 select ARCH_HAVE_NMI_SAFE_CMPXCHG select HAVE_C_RECORDMCOUNT select NO_BOOTMEM + select HAVE_ARCH_AUDITSYSCALL
config ARCH_DEFCONFIG string diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common index 21ca44c..6915d28 100644 --- a/arch/um/Kconfig.common +++ b/arch/um/Kconfig.common @@ -1,6 +1,7 @@ config UML bool default y + select HAVE_ARCH_AUDITSYSCALL select HAVE_UID16 select GENERIC_IRQ_SHOW select GENERIC_CPU_DEVICES diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 0af5250..2938365 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -127,6 +127,7 @@ config X86 select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64 select HAVE_CC_STACKPROTECTOR + select HAVE_ARCH_AUDITSYSCALL
config INSTRUCTION_DECODER def_bool y diff --git a/init/Kconfig b/init/Kconfig index 009a797..d4ec53d 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -282,9 +282,12 @@ config AUDIT logging of avc messages output). Does not do system-call auditing without CONFIG_AUDITSYSCALL.
+config HAVE_ARCH_AUDITSYSCALL + bool + config AUDITSYSCALL bool "Enable system-call auditing support" - depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA) + depends on AUDIT && HAVE_ARCH_AUDITSYSCALL default y if SECURITY_SELINUX help Enable low-overhead system-call auditing infrastructure that
On Tue, Feb 25, 2014 at 09:16:24AM +0000, AKASHI Takahiro wrote:
Currently AUDITSYSCALL has a long list of architecture depencency: depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA) The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL for simplicity.
Looks sensible to me:
Acked-by: Will Deacon will.deacon@arm.com
Will
On 14/02/25, AKASHI Takahiro wrote:
Currently AUDITSYSCALL has a long list of architecture depencency: depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA) The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL for simplicity.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
Acked-by: Richard Guy Briggs rgb@redhat.com
arch/alpha/Kconfig | 1 + arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/parisc/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/s390/Kconfig | 1 + arch/sh/Kconfig | 1 + arch/sparc/Kconfig | 1 + arch/um/Kconfig.common | 1 + arch/x86/Kconfig | 1 + init/Kconfig | 5 ++++- 11 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig index f6c6b34..b7ff9a3 100644 --- a/arch/alpha/Kconfig +++ b/arch/alpha/Kconfig @@ -22,6 +22,7 @@ config ALPHA select GENERIC_SMP_IDLE_THREAD select GENERIC_STRNCPY_FROM_USER select GENERIC_STRNLEN_USER
- select HAVE_ARCH_AUDITSYSCALL select HAVE_MOD_ARCH_SPECIFIC select MODULES_USE_ELF_RELA select ODD_RT_SIGACTION
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index e254198..ca79340 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -24,6 +24,7 @@ config ARM select GENERIC_STRNCPY_FROM_USER select GENERIC_STRNLEN_USER select HARDIRQS_SW_RESEND
- select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT) select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL select HAVE_ARCH_KGDB select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig index 0c8e553..5409bf4 100644 --- a/arch/ia64/Kconfig +++ b/arch/ia64/Kconfig @@ -44,6 +44,7 @@ config IA64 select HAVE_MOD_ARCH_SPECIFIC select MODULES_USE_ELF_RELA select ARCH_USE_CMPXCHG_LOCKREF
- select HAVE_ARCH_AUDITSYSCALL default y help The Itanium Processor Family is Intel's 64-bit successor to
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig index bb2a8ec..1faefed 100644 --- a/arch/parisc/Kconfig +++ b/arch/parisc/Kconfig @@ -28,6 +28,7 @@ config PARISC select CLONE_BACKWARDS select TTY # Needed for pdc_cons.c select HAVE_DEBUG_STACKOVERFLOW
- select HAVE_ARCH_AUDITSYSCALL
help The PA-RISC microprocessor is designed by Hewlett-Packard and used diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 957bf34..7b3b8fe 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -141,6 +141,7 @@ config PPC select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK select ARCH_USE_CMPXCHG_LOCKREF if PPC64
- select HAVE_ARCH_AUDITSYSCALL
config GENERIC_CSUM def_bool CPU_LITTLE_ENDIAN diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 65a0775..1b58568 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -103,6 +103,7 @@ config S390 select GENERIC_SMP_IDLE_THREAD select GENERIC_TIME_VSYSCALL select HAVE_ALIGNED_STRUCT_PAGE if SLUB
- select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL if !MARCH_G5 select HAVE_ARCH_SECCOMP_FILTER select HAVE_ARCH_TRACEHOOK
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig index 6357710..4addd87 100644 --- a/arch/sh/Kconfig +++ b/arch/sh/Kconfig @@ -42,6 +42,7 @@ config SUPERH select MODULES_USE_ELF_RELA select OLD_SIGSUSPEND select OLD_SIGACTION
- select HAVE_ARCH_AUDITSYSCALL help The SuperH is a RISC processor targeted for use in embedded systems and consumer electronics; it was also used in the Sega Dreamcast
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig index c51efdc..9c74d6b 100644 --- a/arch/sparc/Kconfig +++ b/arch/sparc/Kconfig @@ -77,6 +77,7 @@ config SPARC64 select ARCH_HAVE_NMI_SAFE_CMPXCHG select HAVE_C_RECORDMCOUNT select NO_BOOTMEM
- select HAVE_ARCH_AUDITSYSCALL
config ARCH_DEFCONFIG string diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common index 21ca44c..6915d28 100644 --- a/arch/um/Kconfig.common +++ b/arch/um/Kconfig.common @@ -1,6 +1,7 @@ config UML bool default y
- select HAVE_ARCH_AUDITSYSCALL select HAVE_UID16 select GENERIC_IRQ_SHOW select GENERIC_CPU_DEVICES
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 0af5250..2938365 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -127,6 +127,7 @@ config X86 select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64 select HAVE_CC_STACKPROTECTOR
- select HAVE_ARCH_AUDITSYSCALL
config INSTRUCTION_DECODER def_bool y diff --git a/init/Kconfig b/init/Kconfig index 009a797..d4ec53d 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -282,9 +282,12 @@ config AUDIT logging of avc messages output). Does not do system-call auditing without CONFIG_AUDITSYSCALL. +config HAVE_ARCH_AUDITSYSCALL
- bool
config AUDITSYSCALL bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
- depends on AUDIT && HAVE_ARCH_AUDITSYSCALL default y if SECURITY_SELINUX help Enable low-overhead system-call auditing infrastructure that
-- 1.7.9.5
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On Tue, Feb 25, 2014 at 1:16 AM, AKASHI Takahiro takahiro.akashi@linaro.org wrote:
Currently AUDITSYSCALL has a long list of architecture depencency: depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA) The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL for simplicity.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/alpha/Kconfig | 1 + arch/arm/Kconfig | 1 + arch/ia64/Kconfig | 1 + arch/parisc/Kconfig | 1 + arch/powerpc/Kconfig | 1 + arch/s390/Kconfig | 1 + arch/sh/Kconfig | 1 + arch/sparc/Kconfig | 1 + arch/um/Kconfig.common | 1 + arch/x86/Kconfig | 1 + init/Kconfig | 5 ++++- 11 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig index f6c6b34..b7ff9a3 100644 --- a/arch/alpha/Kconfig +++ b/arch/alpha/Kconfig @@ -22,6 +22,7 @@ config ALPHA select GENERIC_SMP_IDLE_THREAD select GENERIC_STRNCPY_FROM_USER select GENERIC_STRNLEN_USER
select HAVE_ARCH_AUDITSYSCALL select HAVE_MOD_ARCH_SPECIFIC select MODULES_USE_ELF_RELA select ODD_RT_SIGACTION
Thanks.
Acked-by: Matt Turner mattst88@gmail.com
On Tue, 2014-02-25 at 18:16 +0900, AKASHI Takahiro wrote:
Currently AUDITSYSCALL has a long list of architecture depencency: depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA) The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL for simplicity.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig index 957bf34..7b3b8fe 100644 --- a/arch/powerpc/Kconfig +++ b/arch/powerpc/Kconfig @@ -141,6 +141,7 @@ config PPC select HAVE_DEBUG_STACKOVERFLOW select HAVE_IRQ_EXIT_ON_IRQ_STACK select ARCH_USE_CMPXCHG_LOCKREF if PPC64
- select HAVE_ARCH_AUDITSYSCALL
config GENERIC_CSUM def_bool CPU_LITTLE_ENDIAN
Looks good for powerpc.
Acked-by: Michael Ellerman mpe@ellerman.id.au
cheers
This macro is used mainly for audit to record system call's results, but may also be used in test_kprobes.c.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/ptrace.h | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 0e7fa49..5800ec1 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -134,6 +134,11 @@ struct pt_regs { #define user_stack_pointer(regs) \ ((regs)->sp)
+static inline unsigned long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +} + /* * Are the current registers suitable for user mode? (used to maintain * security in signal handlers)
On AArch64, audit can be enabled with CONFIG_AUDIT_GENERIC. Most of audit features are implemented in generic way. This patch adds a small piece of architecture dependent code. syscall_get_arch(), which is used in seccomp, should just return AUDIT_ARCH_*.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/syscall.h | 12 ++++++++++++ 1 file changed, 12 insertions(+)
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 70ba9d4..3361fec 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,9 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <linux/audit.h> #include <linux/err.h> +#include <linux/sched.h>
static inline int syscall_get_nr(struct task_struct *task, @@ -104,4 +106,14 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+static inline int syscall_get_arch(struct task_struct *task, + struct pt_regs *regs) +{ +#ifdef __AARCH64EB__ + return AUDIT_ARCH_AARCH64EB; +#else + return AUDIT_ARCH_AARCH64; +#endif +} + #endif /* __ASM_SYSCALL_H */
Generic audit code also support compat system calls now. This patch adds a small piece of architecture dependent code.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/audit.h | 20 ++++++++++++++++++++ arch/arm64/include/asm/syscall.h | 10 ++++++++++ 2 files changed, 30 insertions(+) create mode 100644 arch/arm64/include/asm/audit.h
diff --git a/arch/arm64/include/asm/audit.h b/arch/arm64/include/asm/audit.h new file mode 100644 index 0000000..70eef50 --- /dev/null +++ b/arch/arm64/include/asm/audit.h @@ -0,0 +1,20 @@ +/* + * arch/arm64/include/asm/audit.h + * + * Copyright (C) 2013 Linaro Limited + * Author: AKASHI Takahiro takahiro.akashi@linaro.org + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#ifndef __ASM_AUDIT_H +#define __ASM_AUDIT_H + +#include <linux/audit.h> + +#define audit_is_compat(arch) \ + ((arch == AUDIT_ARCH_ARM) || (arch == AUDIT_ARCH_ARMEB)) + +#endif /* __ASM_AUDIT_H */ diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 3361fec..d7660e9 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -19,6 +19,7 @@ #include <linux/audit.h> #include <linux/err.h> #include <linux/sched.h> +#include <asm/compat.h>
static inline int syscall_get_nr(struct task_struct *task, @@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task, static inline int syscall_get_arch(struct task_struct *task, struct pt_regs *regs) { +#ifdef CONFIG_COMPAT + if (is_compat_thread(task_thread_info(task))) +#ifdef __AARCH64EB__ + return AUDIT_ARCH_ARMEB; /* only BE on BE */ +#else + return AUDIT_ARCH_ARM; +#endif +#endif + #ifdef __AARCH64EB__ return AUDIT_ARCH_AARCH64EB; #else
Hi Akashi,
On Fri, Jan 17, 2014 at 08:13:17AM +0000, AKASHI Takahiro wrote:
Generic audit code also support compat system calls now. This patch adds a small piece of architecture dependent code.
[...]
static inline int syscall_get_nr(struct task_struct *task, @@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task, static inline int syscall_get_arch(struct task_struct *task, struct pt_regs *regs) { +#ifdef CONFIG_COMPAT
- if (is_compat_thread(task_thread_info(task)))
You can call is_compat_thread even when !CONFIG_COMPAT, so you don't need that #ifdef.
+#ifdef __AARCH64EB__
return AUDIT_ARCH_ARMEB; /* only BE on BE */
Well, actually, we only support userspace to be the same endianness as the kernel, so you that comment is slightly misleading. You could probably avoid these repeated ifdefs by defining things like ARM64_AUDIT_ARCH and ARM64_COMPAT_AUDIT_ARCH once depending on endianness.
Will
On 01/18/2014 01:46 AM, Will Deacon wrote:
Hi Akashi,
On Fri, Jan 17, 2014 at 08:13:17AM +0000, AKASHI Takahiro wrote:
Generic audit code also support compat system calls now. This patch adds a small piece of architecture dependent code.
[...]
static inline int syscall_get_nr(struct task_struct *task, @@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task, static inline int syscall_get_arch(struct task_struct *task, struct pt_regs *regs) { +#ifdef CONFIG_COMPAT
- if (is_compat_thread(task_thread_info(task)))
You can call is_compat_thread even when !CONFIG_COMPAT, so you don't need that #ifdef.
Right. I will remove it.
+#ifdef __AARCH64EB__
return AUDIT_ARCH_ARMEB; /* only BE on BE */Well, actually, we only support userspace to be the same endianness as the kernel, so you that comment is slightly misleading. You could probably avoid these repeated ifdefs by defining things like ARM64_AUDIT_ARCH and ARM64_COMPAT_AUDIT_ARCH once depending on endianness.
As in the discussions about "audit(userspace)", if we don't have to care about endianness, I will remove this #ifdef instead.
Thanks, -Takahiro AKASHI
Will
generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h for __NR_xyx compat syscall numbers. This is a different file from unistd32.h on arm64 and so it must be generated from unistd32.h.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/Makefile | 4 ++++ arch/arm64/kernel/syscalls/Makefile | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 arch/arm64/kernel/syscalls/Makefile
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index 2fceb71..6d24f92 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -72,6 +72,10 @@ PHONY += vdso_install vdso_install: $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
+# Compat syscall header generation +archheaders: + $(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@ + # We use MRPROPER_FILES and CLEAN_FILES now archclean: $(Q)$(MAKE) $(clean)=$(boot) diff --git a/arch/arm64/kernel/syscalls/Makefile b/arch/arm64/kernel/syscalls/Makefile new file mode 100644 index 0000000..7661113 --- /dev/null +++ b/arch/arm64/kernel/syscalls/Makefile @@ -0,0 +1,20 @@ +out := $(obj)/../../include/generated/asm + +# Create output directory if not already present +_dummy := $(shell [ -d '$(out)' ] || mkdir -p '$(out)') + +syshdr-$(CONFIG_COMPAT) += unistd_32.h + +targets += $(syshdr-y) + +quiet_cmd_syshdr = SYSHDR $@ + cmd_syshdr = cat $< | sed -r \ + -e 's/compat_//' \ + -e 's/_wrapper//' \ + -e 's/^__SYSCALL((.*),[ ]*sys_([^)].*)).*/#define __NR_\2 \1/p;d' \ + | grep -v __NR_ni_syscall > $@ + +archheaders: $(addprefix $(out)/,$(syshdr-y)) + +$(out)/unistd_32.h: $(src)/../../include/asm/unistd32.h + $(call if_changed,syshdr)
On Fri, Jan 17, 2014 at 08:13:18AM +0000, AKASHI Takahiro wrote:
generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h for __NR_xyx compat syscall numbers. This is a different file from unistd32.h on arm64 and so it must be generated from unistd32.h.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/Makefile | 4 ++++ arch/arm64/kernel/syscalls/Makefile | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 arch/arm64/kernel/syscalls/Makefile
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index 2fceb71..6d24f92 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -72,6 +72,10 @@ PHONY += vdso_install vdso_install: $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@ +# Compat syscall header generation +archheaders:
- $(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@
See my other post to the lib/compat_audit.c file. I think that's too complex for what you need.
Catalin,
On 01/23/2014 11:53 PM, Catalin Marinas wrote:
On Fri, Jan 17, 2014 at 08:13:18AM +0000, AKASHI Takahiro wrote:
generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h for __NR_xyx compat syscall numbers. This is a different file from unistd32.h on arm64 and so it must be generated from unistd32.h.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/Makefile | 4 ++++ arch/arm64/kernel/syscalls/Makefile | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 arch/arm64/kernel/syscalls/Makefile
diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile index 2fceb71..6d24f92 100644 --- a/arch/arm64/Makefile +++ b/arch/arm64/Makefile @@ -72,6 +72,10 @@ PHONY += vdso_install vdso_install: $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
+# Compat syscall header generation +archheaders:
- $(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@
See my other post to the lib/compat_audit.c file. I think that's too complex for what you need.
Generation script is getting more complexed than I assumed at first because some of system call names are a bit inconsistent with native 32-bit system calls, for example, fchown16 vs. fchown, fchown vs. fchown32.
Now my tentative sed script looks like: +quiet_cmd_syshdr = SYSHDR $@ + cmd_syshdr = cat $< | sed -r \ + -e 's/compat_//' \ + -e 's/_wrapper//' \ + -e 's/(sys_[fl]?chown)())/\132)/' \ + -e 's/(sys_[gs]et)(|e|fs|re|res)(uid))/\1\2uid32)/' \ + -e 's/(sys_[gs]et)(|e|fs|re|res)(gid))/\1\2gid32)/' \ + -e 's/(sys_[gs]etgroups)())/\132)/' \ + -e 's/(sys_new)(.*)/sys_\2/' \ + -e 's/sys_mmap_pgoff/sys_mmap2/' \ + -e 's/(sys_[_a-z]*)16(.*)/\1\2/' \ + -e 's/^__SYSCALL((.*),[ ]*sys_([^)].*)).*/#define __NR_\2 \1/p;d' \ + | grep -v __NR_ni_syscall > $@
So, yeah, I agree with you now.
-Takahiro AKASHI
This patch adds auditing functions on entry to or exit from every system call invocation.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/thread_info.h | 1 + arch/arm64/kernel/entry.S | 3 +++ arch/arm64/kernel/ptrace.c | 12 ++++++++++++ 3 files changed, 16 insertions(+)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..7468388 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 4d2c6f3..5bb2c26 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -631,6 +631,9 @@ el0_svc_naked: // compat entry point get_thread_info tsk ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? +#ifdef CONFIG_AUDITSYSCALL + tbnz x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls? +#endif adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6777a21..2ca169b 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1064,6 +1066,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
+#ifdef CONFIG_AUDITSYSCALL + if (dir) + audit_syscall_exit(regs); + else + audit_syscall_entry(syscall_get_arch(current, regs), + (int)regs->syscallno, + regs->orig_x0, regs->regs[1], + regs->regs[2], regs->regs[3]); +#endif /* CONFIG_AUDITSYSCALL */ + if (!test_thread_flag(TIF_SYSCALL_TRACE)) return regs->syscallno;
On Fri, Jan 17, 2014 at 08:13:19AM +0000, AKASHI Takahiro wrote:
@@ -1064,6 +1066,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg; +#ifdef CONFIG_AUDITSYSCALL
- if (dir)
audit_syscall_exit(regs);- else
audit_syscall_entry(syscall_get_arch(current, regs),(int)regs->syscallno,regs->orig_x0, regs->regs[1],regs->regs[2], regs->regs[3]);+#endif /* CONFIG_AUDITSYSCALL */
It should work without the #ifdef as audit_syscall_exit/entry are dummy static inline functions when !CONFIG_AUDITSYSCALL.
On 14/01/17, AKASHI Takahiro wrote:
This patchset adds system call audit support on arm64. Both 32-bit (AUIDT_ARCH_ARM[EB]) and 64-bit tasks (AUDIT_ARCH_AARCH64[EB]) are supported, but presuming 32-LE on 64-LE or 32-BE on 64-BE.
There are some prerequisites for this patch to work correctly:
- "generic compat system call audit support" patch
- "correct a type mismatch in audit_syscall_exit()" patch (already accepted and queued in 3.14)
- "Modify a set of system calls in audit class" patch
- userspace audit tool (v2.3.2 + my patch for arm64)
All those were already or will be soon posted separately. Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways:
- basic operations with auditctl/autrace
# auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
- audit-test-code (+ my workarounds for arm/arm64)
by running "audit-tool", "filter" and "syscalls" test categories.
Changes v1 -> v2:
- Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h.
- Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6]
- Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
AKASHI Takahiro (6): audit: Enable arm64 support arm64: Add regs_return_value() in syscall.h arm64: Add audit support arm64: audit: Add 32-bit (compat) syscall support arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls arm64: audit: Add audit hook in ptrace/syscall_trace
arch/arm64/Makefile | 4 ++++ arch/arm64/include/asm/audit.h | 20 ++++++++++++++++++++ arch/arm64/include/asm/ptrace.h | 5 +++++ arch/arm64/include/asm/syscall.h | 22 ++++++++++++++++++++++ arch/arm64/include/asm/thread_info.h | 1 + arch/arm64/kernel/entry.S | 3 +++ arch/arm64/kernel/ptrace.c | 12 ++++++++++++ arch/arm64/kernel/syscalls/Makefile | 20 ++++++++++++++++++++ include/uapi/linux/audit.h | 2 ++ init/Kconfig | 2 +- 10 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 arch/arm64/include/asm/audit.h create mode 100644 arch/arm64/kernel/syscalls/Makefile
-- 1.7.9.5
Set: Acked-by: Richard Guy Briggs rgb@redhat.com
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly: * "generic compat system call audit support" patch * "correct a type mismatch in audit_syscall_exit()" patch (already accepted and queued in 3.14) * "Modify a set of system calls in audit class" patch (already accepted and queued in 3.14) * "__NR_* definitions for compat syscalls" patch from Catalin * userspace audit tool (v2.3.2 + my patch for arm64)
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways: 1) basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
2) audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v1 -> v2: * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h. * Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6] * Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
Changes v2 -> v3: * Remove asm/audit.h. See "generic compat syscall audit support" patch v4 * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB. * Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
AKASHI Takahiro (3): arm64: Add regs_return_value() in syscall.h arm64: Add audit support arm64: audit: Add audit hook in ptrace/syscall_trace
arch/arm64/Kconfig | 1 + arch/arm64/include/asm/ptrace.h | 5 +++++ arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ arch/arm64/include/asm/thread_info.h | 1 + arch/arm64/kernel/entry.S | 3 +++ arch/arm64/kernel/ptrace.c | 10 ++++++++++ include/uapi/linux/audit.h | 1 + 7 files changed, 36 insertions(+)
This macro, regs_return_value, is used mainly for audit to record system call's results, but may also be used in test_kprobes.c.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/ptrace.h | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 0e7fa49..5800ec1 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -134,6 +134,11 @@ struct pt_regs { #define user_stack_pointer(regs) \ ((regs)->sp)
+static inline unsigned long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +} + /* * Are the current registers suitable for user mode? (used to maintain * security in signal handlers)
On Mon, Feb 03, 2014 at 06:56:28AM +0000, AKASHI Takahiro wrote:
This macro, regs_return_value, is used mainly for audit to record system call's results, but may also be used in test_kprobes.c.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
Acked-by: Will Deacon will.deacon@arm.com
Will
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 17 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 6d4dd22..3c21405 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -19,6 +19,7 @@ config ARM64 select GENERIC_SMP_IDLE_THREAD select GENERIC_TIME_VSYSCALL select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_TRACEHOOK select HAVE_DEBUG_BUGVERBOSE select HAVE_DEBUG_KMEMLEAK diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 70ba9d4..6900183 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,9 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <linux/audit.h> #include <linux/err.h> +#include <asm/compat.h>
static inline int syscall_get_nr(struct task_struct *task, @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+/* + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because + * AArch64 has the same system calls both on little- and big- endian. + */ +static inline int syscall_get_arch(struct task_struct *task, + struct pt_regs *regs) +{ + if (is_compat_thread(task_thread_info(task))) + return AUDIT_ARCH_ARM; + + return AUDIT_ARCH_AARCH64; +} + #endif /* __ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 0a73cf3..cf27cae 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -327,6 +327,7 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM)
On Mon, Feb 03, 2014 at 06:56:29AM +0000, AKASHI Takahiro wrote:
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 17 insertions(+)
Acked-by: Will Deacon will.deacon@arm.com
Will
This patch adds auditing functions on entry to or exit from every system call invocation.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/thread_info.h | 1 + arch/arm64/kernel/entry.S | 3 +++ arch/arm64/kernel/ptrace.c | 10 ++++++++++ 3 files changed, 14 insertions(+)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..7468388 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 827cbad..83c4b29 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -630,6 +630,9 @@ el0_svc_naked: // compat entry point get_thread_info tsk ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? +#ifdef CONFIG_AUDITSYSCALL + tbnz x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls? +#endif adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6777a21..75a3f23 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
+ if (dir) + audit_syscall_exit(regs); + else + audit_syscall_entry(syscall_get_arch(current, regs), + (int)regs->syscallno, + regs->orig_x0, regs->regs[1], + regs->regs[2], regs->regs[3]); + if (!test_thread_flag(TIF_SYSCALL_TRACE)) return regs->syscallno;
On Mon, Feb 03, 2014 at 06:56:30AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/include/asm/thread_info.h | 1 + arch/arm64/kernel/entry.S | 3 +++ arch/arm64/kernel/ptrace.c | 10 ++++++++++ 3 files changed, 14 insertions(+)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..7468388 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 827cbad..83c4b29 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -630,6 +630,9 @@ el0_svc_naked: // compat entry point get_thread_info tsk ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? +#ifdef CONFIG_AUDITSYSCALL
- tbnz x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
+#endif
Could we avoid the back-to-back tbnz instructions with a single mask? It's not obvious that it will end up any better, but it would be good to know.
adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6777a21..75a3f23 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@
- along with this program. If not, see http://www.gnu.org/licenses/.
*/ +#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h> @@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (dir)
audit_syscall_exit(regs);- else
audit_syscall_entry(syscall_get_arch(current, regs),(int)regs->syscallno,regs->orig_x0, regs->regs[1],regs->regs[2], regs->regs[3]);
Do we really want to perform the audit checks before the tracehook calls? Remember that the latter can rewrite all of the registers.
Will
On 02/05/2014 02:31 AM, Will Deacon wrote:
On Mon, Feb 03, 2014 at 06:56:30AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/include/asm/thread_info.h | 1 + arch/arm64/kernel/entry.S | 3 +++ arch/arm64/kernel/ptrace.c | 10 ++++++++++ 3 files changed, 14 insertions(+)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..7468388 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 827cbad..83c4b29 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -630,6 +630,9 @@ el0_svc_naked: // compat entry point get_thread_info tsk ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? +#ifdef CONFIG_AUDITSYSCALL
- tbnz x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
+#endif
Could we avoid the back-to-back tbnz instructions with a single mask? It's not obvious that it will end up any better, but it would be good to know.
When first implementing ftrace support, TIF_SYSCALL_TRACEPOINT is defined as 10 and 'tst' instruction doesn't allow the following code: tst x16, #(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_TRACEPOINT)
That is why I've used "back-to-back" tbnz since then, but now that I'm going to submit ftrace, audit and later seccomp, I will replace it with: #define TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE|TRACEPOINT|AUDIT|SECCOMP)
tst x16, #TIF_SYSCALL_WORK b.ne __syscall_trace
adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6777a21..75a3f23 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@
- along with this program. If not, see http://www.gnu.org/licenses/.
*/
+#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (dir)
audit_syscall_exit(regs);- else
audit_syscall_entry(syscall_get_arch(current, regs),(int)regs->syscallno,regs->orig_x0, regs->regs[1],regs->regs[2], regs->regs[3]);Do we really want to perform the audit checks before the tracehook calls? Remember that the latter can rewrite all of the registers.
OK. I will change the code to make calls in the following order: On entry, *secure_computing *tracehook_report_syscall(ENTER) *trace_sys_enter *audit_syscall_entry On exit, *audit_syscall_exit *trace_sys_exit *tracehook_report_syscall(EXIT)
The order here is the exact same as on x86, but such change might decrease the readability in syscall_trace().
Thanks, -Takahiro AKASHI
Will
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags introduced, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace. Those features will be implemented later, but it's safe to include them now because they can not be turned on anyway.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/thread_info.h | 13 +++++++++++++ arch/arm64/kernel/entry.S | 5 +++-- arch/arm64/kernel/ptrace.c | 11 +++++------ 3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..c3df797 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void) /* * thread information flags: * TIF_SYSCALL_TRACE - syscall trace active + * TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace + * TIF_SYSCALL_AUDIT - syscall auditing + * TIF_SECOMP - syscall secure computing * TIF_SIGPENDING - signal pending * TIF_NEED_RESCHED - rescheduling necessary * TIF_NOTIFY_RESUME - callback before returning to user @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 +#define TIF_SYSCALL_TRACEPOINT 10 +#define TIF_SECCOMP 11 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) +#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) +#define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_32BIT (1 << TIF_32BIT)
#define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | \ _TIF_NOTIFY_RESUME)
+#define _TIF_WORK_SYSCALL (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ + _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP) + #endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 39ac630..c94b2ab 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -631,8 +631,9 @@ el0_svc_naked: // compat entry point enable_irq
get_thread_info tsk - ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing - tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? + ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks + tst x16, #_TIF_WORK_SYSCALL + b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..64ce39f 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE)) - return regs->syscallno; - if (is_compat_task()) { /* AArch32 uses ip (r12) for scratch */ saved_reg = regs->regs[12]; @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) regs->regs[7] = dir; }
- if (dir) + if (dir) { tracehook_report_syscall_exit(regs, 0); - else if (tracehook_report_syscall_entry(regs)) - regs->syscallno = ~0UL; + } else { + if (tracehook_report_syscall_entry(regs)) + regs->syscallno = ~0UL; + }
if (is_compat_task()) regs->regs[12] = saved_reg;
On 14/02/07, AKASHI Takahiro wrote:
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags introduced, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace. Those features will be implemented later, but it's safe to include them now because they can not be turned on anyway.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
Acked-by: Richard Guy Briggs rgb@redhat.com
arch/arm64/include/asm/thread_info.h | 13 +++++++++++++ arch/arm64/kernel/entry.S | 5 +++-- arch/arm64/kernel/ptrace.c | 11 +++++------ 3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..c3df797 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void) /*
- thread information flags:
- TIF_SYSCALL_TRACE - syscall trace active
- TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
- TIF_SYSCALL_AUDIT - syscall auditing
- TIF_SECOMP - syscall secure computing
- TIF_SIGPENDING - signal pending
- TIF_NEED_RESCHED - rescheduling necessary
- TIF_NOTIFY_RESUME - callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 +#define TIF_SYSCALL_TRACEPOINT 10 +#define TIF_SECCOMP 11 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) +#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) +#define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_32BIT (1 << TIF_32BIT) #define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | \ _TIF_NOTIFY_RESUME) +#define _TIF_WORK_SYSCALL (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
_TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)#endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 39ac630..c94b2ab 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -631,8 +631,9 @@ el0_svc_naked: // compat entry point enable_irq get_thread_info tsk
- ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing
- tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
- ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks
- tst x16, #_TIF_WORK_SYSCALL
- b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..64ce39f 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
return regs->syscallno;- if (is_compat_task()) { /* AArch32 uses ip (r12) for scratch */ saved_reg = regs->regs[12];
@@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) regs->regs[7] = dir; }
- if (dir)
- if (dir) { tracehook_report_syscall_exit(regs, 0);
- else if (tracehook_report_syscall_entry(regs))
regs->syscallno = ~0UL;
- } else {
if (tracehook_report_syscall_entry(regs))regs->syscallno = ~0UL;- }
if (is_compat_task()) regs->regs[12] = saved_reg; -- 1.7.9.5
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On Fri, Feb 07, 2014 at 10:07:31AM +0000, AKASHI Takahiro wrote:
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags introduced, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace. Those features will be implemented later, but it's safe to include them now because they can not be turned on anyway.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/include/asm/thread_info.h | 13 +++++++++++++ arch/arm64/kernel/entry.S | 5 +++-- arch/arm64/kernel/ptrace.c | 11 +++++------ 3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..c3df797 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h
[...]
+#define _TIF_WORK_SYSCALL (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
_TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
This is called _TIF_SYSCALL_WORK on arch/arm/, any reason not to follow the naming convention here?
#endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 39ac630..c94b2ab 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -631,8 +631,9 @@ el0_svc_naked: // compat entry point enable_irq get_thread_info tsk
- ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing
- tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
- ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks
- tst x16, #_TIF_WORK_SYSCALL
- b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..64ce39f 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
return regs->syscallno;
This doesn't look right for things like audit (where we don't want to report the syscall if only _TIF_SYSCALL_AUDIT is set, for example).
if (is_compat_task()) { /* AArch32 uses ip (r12) for scratch */ saved_reg = regs->regs[12]; @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) regs->regs[7] = dir; }
- if (dir)
- if (dir) { tracehook_report_syscall_exit(regs, 0);
- else if (tracehook_report_syscall_entry(regs))
regs->syscallno = ~0UL;
- } else {
if (tracehook_report_syscall_entry(regs))regs->syscallno = ~0UL;- }
This hunk doesn't do anything.
Will
Hi,
On 02/18/2014 02:35 AM, Will Deacon wrote:
On Fri, Feb 07, 2014 at 10:07:31AM +0000, AKASHI Takahiro wrote:
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags introduced, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace. Those features will be implemented later, but it's safe to include them now because they can not be turned on anyway.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/include/asm/thread_info.h | 13 +++++++++++++ arch/arm64/kernel/entry.S | 5 +++-- arch/arm64/kernel/ptrace.c | 11 +++++------ 3 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..c3df797 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h
[...]
+#define _TIF_WORK_SYSCALL (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
_TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)This is called _TIF_SYSCALL_WORK on arch/arm/, any reason not to follow the naming convention here?
This is called _TIF_WORK_SYSCALL on arch/x86 :-) That is the only reason, and so I don't have any objection to following arm if you prefer it.
#endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 39ac630..c94b2ab 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -631,8 +631,9 @@ el0_svc_naked: // compat entry point enable_irq
get_thread_info tsk
- ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing
- tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
- ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks
- tst x16, #_TIF_WORK_SYSCALL
- b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..64ce39f 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
return regs->syscallno;This doesn't look right for things like audit (where we don't want to report the syscall if only _TIF_SYSCALL_AUDIT is set, for example).
Yeah, it is my screwup. I will add the guards against TIF_SYSCALL_TRACE (for ptrace), TIF_SYSCALL_TRACEPOINT (for ftrace) and TIF_SYSCALL_AUDIT (for audit).
secure_computing() is protected in itself.
if (is_compat_task()) { /* AArch32 uses ip (r12) for scratch */ saved_reg = regs->regs[12]; @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) regs->regs[7] = dir; }
- if (dir)
- if (dir) { tracehook_report_syscall_exit(regs, 0);
- else if (tracehook_report_syscall_entry(regs))
regs->syscallno = ~0UL;
- } else {
if (tracehook_report_syscall_entry(regs))regs->syscallno = ~0UL;- }
This hunk doesn't do anything.
Well, this is just a change for future patches, but I will remove it anyway due to the guards mentioned above.
-Takahiro AKASHI
Will
This patch makes it easy to add syscall related hooks, including ftrace, audit and seccomp, in syscall_trace() later. Those features will be implemented in separate patchsets, but it's safe to check for all TIF_* now because they can not be turned on anyway.
Changes v1 -> v2: * added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*() * renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK
AKASHI Takahiro (1): arm64: make a single hook to syscall_trace() for all syscall features
arch/arm64/include/asm/thread_info.h | 13 ++++++++++ arch/arm64/kernel/entry.S | 5 ++-- arch/arm64/kernel/ptrace.c | 45 +++++++++++++++++----------------- 3 files changed, 38 insertions(+), 25 deletions(-)
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by: Richard Guy Briggs rgb@redhat.com --- arch/arm64/include/asm/thread_info.h | 13 ++++++++++ arch/arm64/kernel/entry.S | 5 ++-- arch/arm64/kernel/ptrace.c | 45 +++++++++++++++++----------------- 3 files changed, 38 insertions(+), 25 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..0a8b2a9 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void) /* * thread information flags: * TIF_SYSCALL_TRACE - syscall trace active + * TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace + * TIF_SYSCALL_AUDIT - syscall auditing + * TIF_SECOMP - syscall secure computing * TIF_SIGPENDING - signal pending * TIF_NEED_RESCHED - rescheduling necessary * TIF_NOTIFY_RESUME - callback before returning to user @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 +#define TIF_SYSCALL_TRACEPOINT 10 +#define TIF_SECCOMP 11 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) +#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) +#define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_32BIT (1 << TIF_32BIT)
#define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | \ _TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ + _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP) + #endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 0d7b789..6d613cd 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -630,8 +630,9 @@ el0_svc_naked: // compat entry point enable_irq
get_thread_info tsk - ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing - tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? + ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks + tst x16, #_TIF_SYSCALL_WORK + b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..c70133e 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE)) - return regs->syscallno; - - if (is_compat_task()) { - /* AArch32 uses ip (r12) for scratch */ - saved_reg = regs->regs[12]; - regs->regs[12] = dir; - } else { - /* - * Save X7. X7 is used to denote syscall entry/exit: - * X7 = 0 -> entry, = 1 -> exit - */ - saved_reg = regs->regs[7]; - regs->regs[7] = dir; - } + if (test_thread_flag(TIF_SYSCALL_TRACE)) { + if (is_compat_task()) { + /* AArch32 uses ip (r12) for scratch */ + saved_reg = regs->regs[12]; + regs->regs[12] = dir; + } else { + /* + * Save X7. X7 is used to denote syscall entry/exit: + * X7 = 0 -> entry, = 1 -> exit + */ + saved_reg = regs->regs[7]; + regs->regs[7] = dir; + }
- if (dir) - tracehook_report_syscall_exit(regs, 0); - else if (tracehook_report_syscall_entry(regs)) - regs->syscallno = ~0UL; + if (dir) + tracehook_report_syscall_exit(regs, 0); + else if (tracehook_report_syscall_entry(regs)) + regs->syscallno = ~0UL;
- if (is_compat_task()) - regs->regs[12] = saved_reg; - else - regs->regs[7] = saved_reg; + if (is_compat_task()) + regs->regs[12] = saved_reg; + else + regs->regs[7] = saved_reg; + }
return regs->syscallno; }
On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by: Richard Guy Briggs rgb@redhat.com
arch/arm64/include/asm/thread_info.h | 13 ++++++++++ arch/arm64/kernel/entry.S | 5 ++-- arch/arm64/kernel/ptrace.c | 45 +++++++++++++++++----------------- 3 files changed, 38 insertions(+), 25 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..0a8b2a9 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void) /*
- thread information flags:
- TIF_SYSCALL_TRACE - syscall trace active
- TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
- TIF_SYSCALL_AUDIT - syscall auditing
- TIF_SECOMP - syscall secure computing
- TIF_SIGPENDING - signal pending
- TIF_NEED_RESCHED - rescheduling necessary
- TIF_NOTIFY_RESUME - callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 +#define TIF_SYSCALL_TRACEPOINT 10 +#define TIF_SECCOMP 11 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) +#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) +#define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_32BIT (1 << TIF_32BIT) #define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | \ _TIF_NOTIFY_RESUME) +#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
_TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)#endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 0d7b789..6d613cd 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -630,8 +630,9 @@ el0_svc_naked: // compat entry point enable_irq get_thread_info tsk
- ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing
- tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
- ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks
- tst x16, #_TIF_SYSCALL_WORK
- b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys
All looks fine up to here.
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..c70133e 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
return regs->syscallno;- if (is_compat_task()) {
/* AArch32 uses ip (r12) for scratch */saved_reg = regs->regs[12];regs->regs[12] = dir;- } else {
/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/saved_reg = regs->regs[7];regs->regs[7] = dir;- }
- if (test_thread_flag(TIF_SYSCALL_TRACE)) {
if (is_compat_task()) {/* AArch32 uses ip (r12) for scratch */saved_reg = regs->regs[12];regs->regs[12] = dir;} else {/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/saved_reg = regs->regs[7];regs->regs[7] = dir;}
- if (dir)
tracehook_report_syscall_exit(regs, 0);- else if (tracehook_report_syscall_entry(regs))
regs->syscallno = ~0UL;
if (dir)tracehook_report_syscall_exit(regs, 0);else if (tracehook_report_syscall_entry(regs))regs->syscallno = ~0UL;
- if (is_compat_task())
regs->regs[12] = saved_reg;- else
regs->regs[7] = saved_reg;
if (is_compat_task())regs->regs[12] = saved_reg;elseregs->regs[7] = saved_reg;- }
Aren't these changes (to ptrace.c) just a giant NOP?
Will
On 02/26/2014 12:00 AM, Will Deacon wrote:
On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by: Richard Guy Briggs rgb@redhat.com
arch/arm64/include/asm/thread_info.h | 13 ++++++++++ arch/arm64/kernel/entry.S | 5 ++-- arch/arm64/kernel/ptrace.c | 45 +++++++++++++++++----------------- 3 files changed, 38 insertions(+), 25 deletions(-)
[...]
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..c70133e 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
return regs->syscallno;- if (is_compat_task()) {
/* AArch32 uses ip (r12) for scratch */saved_reg = regs->regs[12];regs->regs[12] = dir;- } else {
/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/saved_reg = regs->regs[7];regs->regs[7] = dir;- }
- if (test_thread_flag(TIF_SYSCALL_TRACE)) {
if (is_compat_task()) {/* AArch32 uses ip (r12) for scratch */saved_reg = regs->regs[12];regs->regs[12] = dir;} else {/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/saved_reg = regs->regs[7];regs->regs[7] = dir;}
- if (dir)
tracehook_report_syscall_exit(regs, 0);- else if (tracehook_report_syscall_entry(regs))
regs->syscallno = ~0UL;
if (dir)tracehook_report_syscall_exit(regs, 0);else if (tracehook_report_syscall_entry(regs))regs->syscallno = ~0UL;
- if (is_compat_task())
regs->regs[12] = saved_reg;- else
regs->regs[7] = saved_reg;
if (is_compat_task())regs->regs[12] = saved_reg;elseregs->regs[7] = saved_reg;- }
Aren't these changes (to ptrace.c) just a giant NOP?
Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set, and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*() later on.
-Takahiro AKASHI
Will
On Wed, Feb 26, 2014 at 02:00:19AM +0000, AKASHI Takahiro wrote:
On 02/26/2014 12:00 AM, Will Deacon wrote:
On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by: Richard Guy Briggs rgb@redhat.com
arch/arm64/include/asm/thread_info.h | 13 ++++++++++ arch/arm64/kernel/entry.S | 5 ++-- arch/arm64/kernel/ptrace.c | 45 +++++++++++++++++----------------- 3 files changed, 38 insertions(+), 25 deletions(-)
[...]
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..c70133e 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
return regs->syscallno;- if (is_compat_task()) {
/* AArch32 uses ip (r12) for scratch */saved_reg = regs->regs[12];regs->regs[12] = dir;- } else {
/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/saved_reg = regs->regs[7];regs->regs[7] = dir;- }
- if (test_thread_flag(TIF_SYSCALL_TRACE)) {
if (is_compat_task()) {/* AArch32 uses ip (r12) for scratch */saved_reg = regs->regs[12];regs->regs[12] = dir;} else {/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/saved_reg = regs->regs[7];regs->regs[7] = dir;}
- if (dir)
tracehook_report_syscall_exit(regs, 0);- else if (tracehook_report_syscall_entry(regs))
regs->syscallno = ~0UL;
if (dir)tracehook_report_syscall_exit(regs, 0);else if (tracehook_report_syscall_entry(regs))regs->syscallno = ~0UL;
- if (is_compat_task())
regs->regs[12] = saved_reg;- else
regs->regs[7] = saved_reg;
if (is_compat_task())regs->regs[12] = saved_reg;elseregs->regs[7] = saved_reg;- }
Aren't these changes (to ptrace.c) just a giant NOP?
Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set, and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*() later on.
The existing code already checks TIF_SYSCALL_TRACE. I'd rather you added this new code when it's actually nedded (e.g. when adding audit on top).
Will
On 02/26/2014 08:25 PM, Will Deacon wrote:
On Wed, Feb 26, 2014 at 02:00:19AM +0000, AKASHI Takahiro wrote:
On 02/26/2014 12:00 AM, Will Deacon wrote:
On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by: Richard Guy Briggs rgb@redhat.com
arch/arm64/include/asm/thread_info.h | 13 ++++++++++ arch/arm64/kernel/entry.S | 5 ++-- arch/arm64/kernel/ptrace.c | 45 +++++++++++++++++----------------- 3 files changed, 38 insertions(+), 25 deletions(-)
[...]
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..c70133e 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
return regs->syscallno;- if (is_compat_task()) {
/* AArch32 uses ip (r12) for scratch */saved_reg = regs->regs[12];regs->regs[12] = dir;- } else {
/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/saved_reg = regs->regs[7];regs->regs[7] = dir;- }
- if (test_thread_flag(TIF_SYSCALL_TRACE)) {
if (is_compat_task()) {/* AArch32 uses ip (r12) for scratch */saved_reg = regs->regs[12];regs->regs[12] = dir;} else {/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/saved_reg = regs->regs[7];regs->regs[7] = dir;}
- if (dir)
tracehook_report_syscall_exit(regs, 0);- else if (tracehook_report_syscall_entry(regs))
regs->syscallno = ~0UL;
if (dir)tracehook_report_syscall_exit(regs, 0);else if (tracehook_report_syscall_entry(regs))regs->syscallno = ~0UL;
- if (is_compat_task())
regs->regs[12] = saved_reg;- else
regs->regs[7] = saved_reg;
if (is_compat_task())regs->regs[12] = saved_reg;elseregs->regs[7] = saved_reg;- }
Aren't these changes (to ptrace.c) just a giant NOP?
Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set, and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*() later on.
The existing code already checks TIF_SYSCALL_TRACE. I'd rather you added this new code when it's actually nedded (e.g. when adding audit on top).
* This patch is required only if you really merge my audit and/or ftrace patch. * Putting these changes in audit patch would impose an extra (unnecessary) dependency on ftrace patch. * Putting them both in audit and ftrace patch would cause a conflict when applying both patches.
Even so, since I don't bother you on this minor issue, I will follow your comment and make changes on: * arm64: make a single hook to syscall_trace() for all syscall features * arm64: Add audit support * arm64: Add ftrace support
-Takahiro AKASHI
Will
This patchset contains some patches commonly used by audit and ftrace.
Patch [1/2] defines system call related TIF_* flags to add syscall_trace() hooks, including ftrace, audit and seccomp, later. Those features will be implemented in separate patchsets, but it's safe to check for all TIF_* now because they can not be turned on anyway.
Patch [2/2] adds a function which returns a return value of system call.
Changes v1 -> v2: * added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*() * renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK
Changes v2 -> v3: * reverted a change in syscall_trace() in v1 [1/2] * added "arm64: Add regs_return_value() in syscall.h" patch which was previously included in audit patch [2/2]
AKASHI Takahiro (2): arm64: make a single hook to syscall_trace() for all syscall features arm64: Add regs_return_value() in syscall.h
arch/arm64/include/asm/ptrace.h | 5 +++++ arch/arm64/include/asm/thread_info.h | 13 +++++++++++++ arch/arm64/kernel/entry.S | 5 +++-- 3 files changed, 21 insertions(+), 2 deletions(-)
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/thread_info.h | 13 +++++++++++++ arch/arm64/kernel/entry.S | 5 +++-- 2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..0a8b2a9 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void) /* * thread information flags: * TIF_SYSCALL_TRACE - syscall trace active + * TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace + * TIF_SYSCALL_AUDIT - syscall auditing + * TIF_SECOMP - syscall secure computing * TIF_SIGPENDING - signal pending * TIF_NEED_RESCHED - rescheduling necessary * TIF_NOTIFY_RESUME - callback before returning to user @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 +#define TIF_SYSCALL_TRACEPOINT 10 +#define TIF_SECCOMP 11 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) +#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) +#define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_32BIT (1 << TIF_32BIT)
#define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | \ _TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ + _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP) + #endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 0d7b789..6d613cd 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -630,8 +630,9 @@ el0_svc_naked: // compat entry point enable_irq
get_thread_info tsk - ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing - tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? + ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks + tst x16, #_TIF_SYSCALL_WORK + b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys
On Fri, Feb 28, 2014 at 05:14:24AM +0000, AKASHI Takahiro wrote:
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
Acked-by: Will Deacon will.deacon@arm.com
Will
This macro, regs_return_value, is used mainly for audit to record system call's results, but may also be used in test_kprobes.c.
Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/ptrace.h | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 0e7fa49..5800ec1 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -134,6 +134,11 @@ struct pt_regs { #define user_stack_pointer(regs) \ ((regs)->sp)
+static inline unsigned long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +} + /* * Are the current registers suitable for user mode? (used to maintain * security in signal handlers)
This patchset contains some patches commonly applied for audit and ftrace.
Patch [1/3] defines syscall trace related TIF_* flags in order to add hooks, including ftrace, audit and seccomp, later on. Those features will be implemented in separate patchsets, but it's safe to check for all TIF_* now because they can not be turned on anyway.
Patch [2/3] doesn't change a behavior but make it easy and manageable to confirm we invoke those hooks in correct order by splitting syscall_trace().
Patch [3/3] adds a commonly used function, which returns a return value of system call.
Changes v3 -> v4: * added "arm64: split syscall_trace() into separate functions for enter/ exit", which is just a preparation for adding syscall trace hooks later.
Changes v2 -> v3: * reverted a change in syscall_trace() in v1 [1/2] * added "arm64: Add regs_return_value() in syscall.h" patch which was previously included in audit patch [2/2]
Changes v1 -> v2: * added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*() * renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK
AKASHI Takahiro (3): arm64: make a single hook to syscall_trace() for all syscall features arm64: split syscall_trace() into separate functions for enter/exit arm64: Add regs_return_value() in syscall.h
arch/arm64/include/asm/ptrace.h | 5 ++++ arch/arm64/include/asm/thread_info.h | 13 +++++++++ arch/arm64/kernel/entry.S | 15 +++++------ arch/arm64/kernel/ptrace.c | 48 ++++++++++++++++++++++++++-------- 4 files changed, 62 insertions(+), 19 deletions(-)
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/thread_info.h | 13 +++++++++++++ arch/arm64/kernel/entry.S | 5 +++-- 2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..0a8b2a9 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void) /* * thread information flags: * TIF_SYSCALL_TRACE - syscall trace active + * TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace + * TIF_SYSCALL_AUDIT - syscall auditing + * TIF_SECOMP - syscall secure computing * TIF_SIGPENDING - signal pending * TIF_NEED_RESCHED - rescheduling necessary * TIF_NOTIFY_RESUME - callback before returning to user @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 +#define TIF_SYSCALL_TRACEPOINT 10 +#define TIF_SECCOMP 11 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) +#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) +#define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_32BIT (1 << TIF_32BIT)
#define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | \ _TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ + _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP) + #endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 39ac630..f9f2cae 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -631,8 +631,9 @@ el0_svc_naked: // compat entry point enable_irq
get_thread_info tsk - ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing - tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? + ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks + tst x16, #_TIF_SYSCALL_WORK + b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys
On Thu, Mar 13, 2014 at 10:11:29AM +0000, AKASHI Takahiro wrote:
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
Acked-by: Will Deacon will.deacon@arm.com
Will
As done in arm, this change makes it easy to confirm we invoke syscall related hooks, including syscall tracepoint, audit and seccomp which would be implemented later, in correct order. That is, undoing operations in the opposite order on exit that they were done on entry.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/kernel/entry.S | 10 ++++----- arch/arm64/kernel/ptrace.c | 48 ++++++++++++++++++++++++++++++++++---------- 2 files changed, 41 insertions(+), 17 deletions(-)
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index f9f2cae..00d6eb9 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -649,9 +649,8 @@ ENDPROC(el0_svc) * switches, and waiting for our parent to respond. */ __sys_trace: - mov x1, sp - mov w0, #0 // trace entry - bl syscall_trace + mov x0, sp + bl syscall_trace_enter adr lr, __sys_trace_return // return address uxtw scno, w0 // syscall number (possibly new) mov x1, sp // pointer to regs @@ -666,9 +665,8 @@ __sys_trace:
__sys_trace_return: str x0, [sp] // save returned x0 - mov x1, sp - mov w0, #1 // trace exit - bl syscall_trace + mov x0, sp + bl syscall_trace_exit b ret_to_user
/* diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..9993a8f 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request, return ptrace_request(child, request, addr, data); }
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs) +asmlinkage int syscall_trace_enter(struct pt_regs *regs) { unsigned long saved_reg;
if (!test_thread_flag(TIF_SYSCALL_TRACE)) return regs->syscallno;
+ /* + * A scrach register (ip(r12) on AArch32, x7 on AArch64) is + * used to denote syscall entry/exit: + * 0 -> entry + */ if (is_compat_task()) { - /* AArch32 uses ip (r12) for scratch */ saved_reg = regs->regs[12]; - regs->regs[12] = dir; + regs->regs[12] = 0; } else { - /* - * Save X7. X7 is used to denote syscall entry/exit: - * X7 = 0 -> entry, = 1 -> exit - */ saved_reg = regs->regs[7]; - regs->regs[7] = dir; + regs->regs[7] = 0; }
- if (dir) - tracehook_report_syscall_exit(regs, 0); - else if (tracehook_report_syscall_entry(regs)) + if (tracehook_report_syscall_entry(regs)) regs->syscallno = ~0UL;
if (is_compat_task()) @@ -1090,3 +1088,31 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
return regs->syscallno; } + +asmlinkage void syscall_trace_exit(struct pt_regs *regs) +{ + unsigned long saved_reg; + + if (!test_thread_flag(TIF_SYSCALL_TRACE)) + return; + + /* + * A scrach register (ip(r12) on AArch32, x7 on AArch64) is + * used to denote syscall entry/exit: + * 1 -> exit + */ + if (is_compat_task()) { + saved_reg = regs->regs[12]; + regs->regs[12] = 1; + } else { + saved_reg = regs->regs[7]; + regs->regs[7] = 1; + } + + tracehook_report_syscall_exit(regs, 0); + + if (is_compat_task()) + regs->regs[12] = saved_reg; + else + regs->regs[7] = saved_reg; +}
On Thu, Mar 13, 2014 at 10:11:30AM +0000, AKASHI Takahiro wrote:
As done in arm, this change makes it easy to confirm we invoke syscall related hooks, including syscall tracepoint, audit and seccomp which would be implemented later, in correct order. That is, undoing operations in the opposite order on exit that they were done on entry.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/kernel/entry.S | 10 ++++----- arch/arm64/kernel/ptrace.c | 48 ++++++++++++++++++++++++++++++++++---------- 2 files changed, 41 insertions(+), 17 deletions(-)
[...]
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..9993a8f 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request, return ptrace_request(child, request, addr, data); } -asmlinkage int syscall_trace(int dir, struct pt_regs *regs) +asmlinkage int syscall_trace_enter(struct pt_regs *regs) { unsigned long saved_reg; if (!test_thread_flag(TIF_SYSCALL_TRACE)) return regs->syscallno;
- /*
* A scrach register (ip(r12) on AArch32, x7 on AArch64) is* used to denote syscall entry/exit:* 0 -> entry*/
You could add an enum, like we have on ARM (ptrace_syscall_dir) for the two directions.
if (is_compat_task()) {
/* AArch32 uses ip (r12) for scratch */regs->regs[12] = dir;
regs->regs[12] = 0;
/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/regs->regs[7] = dir;
regs->regs[7] = 0;
This code could also be refactored so we calculated the register number once, then avoid the if (is_compact_task()) check all over the place.
Similarly on the exit path.
Will
On 03/14/2014 03:41 AM, Will Deacon wrote:
On Thu, Mar 13, 2014 at 10:11:30AM +0000, AKASHI Takahiro wrote:
As done in arm, this change makes it easy to confirm we invoke syscall related hooks, including syscall tracepoint, audit and seccomp which would be implemented later, in correct order. That is, undoing operations in the opposite order on exit that they were done on entry.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/kernel/entry.S | 10 ++++----- arch/arm64/kernel/ptrace.c | 48 ++++++++++++++++++++++++++++++++++---------- 2 files changed, 41 insertions(+), 17 deletions(-)
[...]
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..9993a8f 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request, return ptrace_request(child, request, addr, data); }
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs) +asmlinkage int syscall_trace_enter(struct pt_regs *regs) { unsigned long saved_reg;
if (!test_thread_flag(TIF_SYSCALL_TRACE)) return regs->syscallno;
- /*
* A scrach register (ip(r12) on AArch32, x7 on AArch64) is* used to denote syscall entry/exit:* 0 -> entry*/You could add an enum, like we have on ARM (ptrace_syscall_dir) for the two directions.
if (is_compat_task()) {
/* AArch32 uses ip (r12) for scratch */regs->regs[12] = dir;
regs->regs[12] = 0;
/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/regs->regs[7] = dir;
regs->regs[7] = 0;This code could also be refactored so we calculated the register number once, then avoid the if (is_compact_task()) check all over the place.
Similarly on the exit path.
OK, I will implement tracehook_report_syscall() as in arm.
-Takahiro AKASHI
Will
This macro, regs_return_value, is used mainly for audit to record system call's results, but may also be used in test_kprobes.c.
Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/ptrace.h | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 0e7fa49..5800ec1 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -134,6 +134,11 @@ struct pt_regs { #define user_stack_pointer(regs) \ ((regs)->sp)
+static inline unsigned long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +} + /* * Are the current registers suitable for user mode? (used to maintain * security in signal handlers)
This patchset contains some patches commonly applied for audit and ftrace.
Patch [1/4] defines syscall trace related TIF_* flags in order to add hooks, including ftrace, audit and seccomp, later on. Those features will be implemented in separate patchsets, but it's safe to check for all TIF_* now because they can not be turned on anyway.
Patch [2/4] doesn't change a behavior but make it easy and manageable to confirm we invoke those hooks in correct order by splitting syscall_trace().
Patch [3/4] adds a commonly used function, which returns a return value of system call.
Patch [4/4] removes is_compat_task from asm/compat.h to avoid conflicted definitions.
Changes v4 -> v5: * added the following patch from my seccomp patch since it is required for audit and ftrace in case of !COMPAT, too. [4/4] "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h"
Changes v3 -> v4: * added "arm64: split syscall_trace() into separate functions for enter/ exit", which is just a preparation for adding syscall trace hooks later.
Changes v2 -> v3: * reverted a change in syscall_trace() in v1 [1/2] * added "arm64: Add regs_return_value() in syscall.h" patch which was previously included in audit patch [2/2]
Changes v1 -> v2: * added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*() * renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK
AKASHI Takahiro (4): arm64: make a single hook to syscall_trace() for all syscall features arm64: split syscall_trace() into separate functions for enter/exit arm64: Add regs_return_value() in syscall.h arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h
arch/arm64/include/asm/compat.h | 5 ---- arch/arm64/include/asm/ptrace.h | 5 ++++ arch/arm64/include/asm/thread_info.h | 13 +++++++++ arch/arm64/kernel/entry.S | 15 +++++------ arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/arm64/kernel/process.c | 1 + arch/arm64/kernel/ptrace.c | 51 +++++++++++++++++++++--------------- arch/arm64/kernel/signal.c | 2 +- 8 files changed, 58 insertions(+), 36 deletions(-)
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Acked-by: Richard Guy Briggs rgb@redhat.com Acked-by: Will Deacon will.deacon@arm.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/thread_info.h | 13 +++++++++++++ arch/arm64/kernel/entry.S | 5 +++-- 2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..0a8b2a9 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void) /* * thread information flags: * TIF_SYSCALL_TRACE - syscall trace active + * TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace + * TIF_SYSCALL_AUDIT - syscall auditing + * TIF_SECOMP - syscall secure computing * TIF_SIGPENDING - signal pending * TIF_NEED_RESCHED - rescheduling necessary * TIF_NOTIFY_RESUME - callback before returning to user @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 +#define TIF_SYSCALL_TRACEPOINT 10 +#define TIF_SECCOMP 11 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) +#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) +#define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_32BIT (1 << TIF_32BIT)
#define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | \ _TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ + _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP) + #endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 39ac630..f9f2cae 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -631,8 +631,9 @@ el0_svc_naked: // compat entry point enable_irq
get_thread_info tsk - ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing - tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? + ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks + tst x16, #_TIF_SYSCALL_WORK + b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys
As done in arm, this change makes it easy to confirm we invoke syscall related hooks, including syscall tracepoint, audit and seccomp which would be implemented later, in correct order. That is, undoing operations in the opposite order on exit that they were done on entry.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/kernel/entry.S | 10 ++++------ arch/arm64/kernel/ptrace.c | 50 +++++++++++++++++++++++++++------------------- 2 files changed, 33 insertions(+), 27 deletions(-)
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index f9f2cae..00d6eb9 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -649,9 +649,8 @@ ENDPROC(el0_svc) * switches, and waiting for our parent to respond. */ __sys_trace: - mov x1, sp - mov w0, #0 // trace entry - bl syscall_trace + mov x0, sp + bl syscall_trace_enter adr lr, __sys_trace_return // return address uxtw scno, w0 // syscall number (possibly new) mov x1, sp // pointer to regs @@ -666,9 +665,8 @@ __sys_trace:
__sys_trace_return: str x0, [sp] // save returned x0 - mov x1, sp - mov w0, #1 // trace exit - bl syscall_trace + mov x0, sp + bl syscall_trace_exit b ret_to_user
/* diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..f606276 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request, return ptrace_request(child, request, addr, data); }
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs) +enum ptrace_syscall_dir { + PTRACE_SYSCALL_ENTER = 0, + PTRACE_SYSCALL_EXIT, +}; + +static void tracehook_report_syscall(struct pt_regs *regs, + enum ptrace_syscall_dir dir) { + int scrach; unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE)) - return regs->syscallno; - - if (is_compat_task()) { - /* AArch32 uses ip (r12) for scratch */ - saved_reg = regs->regs[12]; - regs->regs[12] = dir; - } else { - /* - * Save X7. X7 is used to denote syscall entry/exit: - * X7 = 0 -> entry, = 1 -> exit - */ - saved_reg = regs->regs[7]; - regs->regs[7] = dir; - } + /* + * A scrach register (ip(r12) on AArch32, x7 on AArch64) is + * used to denote syscall entry/exit: + */ + scrach = (is_compat_task() ? 12 : 7); + saved_reg = regs->regs[scrach]; + regs->regs[scrach] = dir;
- if (dir) + if (dir == PTRACE_SYSCALL_EXIT) tracehook_report_syscall_exit(regs, 0); else if (tracehook_report_syscall_entry(regs)) regs->syscallno = ~0UL;
- if (is_compat_task()) - regs->regs[12] = saved_reg; - else - regs->regs[7] = saved_reg; + regs->regs[scrach] = saved_reg; +} + +asmlinkage int syscall_trace_enter(struct pt_regs *regs) +{ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
return regs->syscallno; } + +asmlinkage void syscall_trace_exit(struct pt_regs *regs) +{ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); +}
On 14/03/15, AKASHI Takahiro wrote:
As done in arm, this change makes it easy to confirm we invoke syscall related hooks, including syscall tracepoint, audit and seccomp which would be implemented later, in correct order. That is, undoing operations in the opposite order on exit that they were done on entry.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
Minor variable mis-spelling of "scratch" noted below, but other than that:
Acked-by: Richard Guy Briggs rgb@redhat.com
arch/arm64/kernel/entry.S | 10 ++++------ arch/arm64/kernel/ptrace.c | 50 +++++++++++++++++++++++++++------------------- 2 files changed, 33 insertions(+), 27 deletions(-)
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index f9f2cae..00d6eb9 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -649,9 +649,8 @@ ENDPROC(el0_svc) * switches, and waiting for our parent to respond. */ __sys_trace:
- mov x1, sp
- mov w0, #0 // trace entry
- bl syscall_trace
- mov x0, sp
- bl syscall_trace_enter adr lr, __sys_trace_return // return address uxtw scno, w0 // syscall number (possibly new) mov x1, sp // pointer to regs
@@ -666,9 +665,8 @@ __sys_trace: __sys_trace_return: str x0, [sp] // save returned x0
- mov x1, sp
- mov w0, #1 // trace exit
- bl syscall_trace
- mov x0, sp
- bl syscall_trace_exit b ret_to_user
/* diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..f606276 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request, return ptrace_request(child, request, addr, data); } -asmlinkage int syscall_trace(int dir, struct pt_regs *regs) +enum ptrace_syscall_dir {
- PTRACE_SYSCALL_ENTER = 0,
- PTRACE_SYSCALL_EXIT,
+};
+static void tracehook_report_syscall(struct pt_regs *regs,
enum ptrace_syscall_dir dir){
- int scrach;
"scratch"
unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE))
return regs->syscallno;- if (is_compat_task()) {
/* AArch32 uses ip (r12) for scratch */saved_reg = regs->regs[12];regs->regs[12] = dir;- } else {
/** Save X7. X7 is used to denote syscall entry/exit:* X7 = 0 -> entry, = 1 -> exit*/saved_reg = regs->regs[7];regs->regs[7] = dir;- }
- /*
* A scrach register (ip(r12) on AArch32, x7 on AArch64) is* used to denote syscall entry/exit:*/- scrach = (is_compat_task() ? 12 : 7);
- saved_reg = regs->regs[scrach];
- regs->regs[scrach] = dir;
- if (dir)
- if (dir == PTRACE_SYSCALL_EXIT) tracehook_report_syscall_exit(regs, 0); else if (tracehook_report_syscall_entry(regs)) regs->syscallno = ~0UL;
- if (is_compat_task())
regs->regs[12] = saved_reg;- else
regs->regs[7] = saved_reg;
- regs->regs[scrach] = saved_reg;
+}
+asmlinkage int syscall_trace_enter(struct pt_regs *regs) +{
- if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);return regs->syscallno; }
+asmlinkage void syscall_trace_exit(struct pt_regs *regs) +{
- if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);+}
1.8.3.2
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
Hi Akashi,
On Sat, Mar 15, 2014 at 05:39:06AM +0000, AKASHI Takahiro wrote:
As done in arm, this change makes it easy to confirm we invoke syscall related hooks, including syscall tracepoint, audit and seccomp which would be implemented later, in correct order. That is, undoing operations in the opposite order on exit that they were done on entry.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
[...]
+static void tracehook_report_syscall(struct pt_regs *regs,
enum ptrace_syscall_dir dir){
- int scrach;
s/scrach/scratch/
Although, I'd rather have a variable with a more meaningful name. How about regno?
With that,
Acked-by: Will Deacon will.deacon@arm.com
Cheers,
Will
On 04/16/2014 10:27 PM, Will Deacon wrote:
Hi Akashi,
On Sat, Mar 15, 2014 at 05:39:06AM +0000, AKASHI Takahiro wrote:
As done in arm, this change makes it easy to confirm we invoke syscall related hooks, including syscall tracepoint, audit and seccomp which would be implemented later, in correct order. That is, undoing operations in the opposite order on exit that they were done on entry.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
[...]
+static void tracehook_report_syscall(struct pt_regs *regs,
enum ptrace_syscall_dir dir)- int scrach;
s/scrach/scratch/
I will fix it.
Although, I'd rather have a variable with a more meaningful name. How about regno?
OK, I will use regno in the next revision, which I will submit soon.
With that,
Acked-by: Will Deacon will.deacon@arm.com
Thank you so much, -Takahiro AKASHI
Cheers,
Will
This macro, regs_return_value, is used mainly for audit to record system call's results, but may also be used in test_kprobes.c.
Acked-by: Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/ptrace.h | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 0e7fa49..5800ec1 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -134,6 +134,11 @@ struct pt_regs { #define user_stack_pointer(regs) \ ((regs)->sp)
+static inline unsigned long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +} + /* * Are the current registers suitable for user mode? (used to maintain * security in signal handlers)
Some kernel files may include both linux/compat.h and asm/compat.h directly or indirectly. Since both header files contain is_compat_task() under !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail. Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is implemented).
So this patch proactively 1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h 2) replaces asm/compat.h to linux/compat.h in kernel/*.c, but asm/compat.h is still necessary in ptrace.c and process.c because they use is_compat_thread().
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/compat.h | 5 ----- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/arm64/kernel/process.c | 1 + arch/arm64/kernel/ptrace.c | 1 + arch/arm64/kernel/signal.c | 2 +- 5 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h index fda2704..3b334f9 100644 --- a/arch/arm64/include/asm/compat.h +++ b/arch/arm64/include/asm/compat.h @@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread)
#else /* !CONFIG_COMPAT */
-static inline int is_compat_task(void) -{ - return 0; -} - static inline int is_compat_thread(struct thread_info *thread) { return 0; diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c index f17f581..a45e2db 100644 --- a/arch/arm64/kernel/hw_breakpoint.c +++ b/arch/arm64/kernel/hw_breakpoint.c @@ -20,6 +20,7 @@
#define pr_fmt(fmt) "hw-breakpoint: " fmt
+#include <linux/compat.h> #include <linux/cpu_pm.h> #include <linux/errno.h> #include <linux/hw_breakpoint.h> @@ -27,7 +28,6 @@ #include <linux/ptrace.h> #include <linux/smp.h>
-#include <asm/compat.h> #include <asm/current.h> #include <asm/debug-monitors.h> #include <asm/hw_breakpoint.h> diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c index 1c0a9be..fc8a387 100644 --- a/arch/arm64/kernel/process.c +++ b/arch/arm64/kernel/process.c @@ -20,6 +20,7 @@
#include <stdarg.h>
+#include <linux/compat.h> #include <linux/export.h> #include <linux/sched.h> #include <linux/kernel.h> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index f606276..c47a3ed 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/compat.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 890a591..4a09989 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -17,6 +17,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/compat.h> #include <linux/errno.h> #include <linux/signal.h> #include <linux/personality.h> @@ -25,7 +26,6 @@ #include <linux/tracehook.h> #include <linux/ratelimit.h>
-#include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/elf.h> #include <asm/cacheflush.h>
On 14/03/15, AKASHI Takahiro wrote:
Some kernel files may include both linux/compat.h and asm/compat.h directly or indirectly. Since both header files contain is_compat_task() under !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail. Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is implemented).
So this patch proactively
- removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
- replaces asm/compat.h to linux/compat.h in kernel/*.c, but asm/compat.h is still necessary in ptrace.c and process.c because they use is_compat_thread().
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
Acked-by: Richard Guy Briggs rgb@redhat.com
arch/arm64/include/asm/compat.h | 5 ----- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/arm64/kernel/process.c | 1 + arch/arm64/kernel/ptrace.c | 1 + arch/arm64/kernel/signal.c | 2 +- 5 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h index fda2704..3b334f9 100644 --- a/arch/arm64/include/asm/compat.h +++ b/arch/arm64/include/asm/compat.h @@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread) #else /* !CONFIG_COMPAT */ -static inline int is_compat_task(void) -{
- return 0;
-}
static inline int is_compat_thread(struct thread_info *thread) { return 0; diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c index f17f581..a45e2db 100644 --- a/arch/arm64/kernel/hw_breakpoint.c +++ b/arch/arm64/kernel/hw_breakpoint.c @@ -20,6 +20,7 @@ #define pr_fmt(fmt) "hw-breakpoint: " fmt +#include <linux/compat.h> #include <linux/cpu_pm.h> #include <linux/errno.h> #include <linux/hw_breakpoint.h> @@ -27,7 +28,6 @@ #include <linux/ptrace.h> #include <linux/smp.h> -#include <asm/compat.h> #include <asm/current.h> #include <asm/debug-monitors.h> #include <asm/hw_breakpoint.h> diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c index 1c0a9be..fc8a387 100644 --- a/arch/arm64/kernel/process.c +++ b/arch/arm64/kernel/process.c @@ -20,6 +20,7 @@ #include <stdarg.h> +#include <linux/compat.h> #include <linux/export.h> #include <linux/sched.h> #include <linux/kernel.h> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index f606276..c47a3ed 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@
- along with this program. If not, see http://www.gnu.org/licenses/.
*/ +#include <linux/compat.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 890a591..4a09989 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -17,6 +17,7 @@
- along with this program. If not, see http://www.gnu.org/licenses/.
*/ +#include <linux/compat.h> #include <linux/errno.h> #include <linux/signal.h> #include <linux/personality.h> @@ -25,7 +26,6 @@ #include <linux/tracehook.h> #include <linux/ratelimit.h> -#include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/elf.h>
#include <asm/cacheflush.h>
1.8.3.2
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On Sat, Mar 15, 2014 at 05:39:08AM +0000, AKASHI Takahiro wrote:
Some kernel files may include both linux/compat.h and asm/compat.h directly or indirectly. Since both header files contain is_compat_task() under !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail. Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is implemented).
So this patch proactively
- removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
- replaces asm/compat.h to linux/compat.h in kernel/*.c, but asm/compat.h is still necessary in ptrace.c and process.c because they use is_compat_thread().
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
Acked-by: Will Deacon will.deacon@arm.com
Will
(This patchset was already acked by the maintainer along with a minor typo fix. See below.)
This patchset contains some patches commonly applied for audit and ftrace.
Patch [1/4] defines syscall trace related TIF_* flags in order to add hooks, including ftrace, audit and seccomp, later on. Those features will be implemented in separate patchsets, but it's safe to check for all TIF_* now because they can not be turned on anyway.
Patch [2/4] doesn't change a behavior but make it easy and manageable to confirm we invoke those hooks in correct order by splitting syscall_trace().
Patch [3/4] adds a commonly used function, which returns a return value of system call.
Patch [4/4] removes is_compat_task from asm/compat.h to avoid conflicted definitions.
Changes v5 -> v6: * renamed a temporary variable's name to more meaningful one [2/4]
Changes v4 -> v5: * added the following patch from my seccomp patch since it is required for audit and ftrace in case of !COMPAT, too. [4/4] "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h"
Changes v3 -> v4: * added "arm64: split syscall_trace() into separate functions for enter/ exit", which is just a preparation for adding syscall trace hooks later.
Changes v2 -> v3: * reverted a change in syscall_trace() in v1 [1/2] * added "arm64: Add regs_return_value() in syscall.h" patch which was previously included in audit patch [2/2]
Changes v1 -> v2: * added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*() * renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK
AKASHI Takahiro (4): arm64: make a single hook to syscall_trace() for all syscall features arm64: split syscall_trace() into separate functions for enter/exit arm64: Add regs_return_value() in syscall.h arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h
arch/arm64/include/asm/compat.h | 5 ---- arch/arm64/include/asm/ptrace.h | 5 ++++ arch/arm64/include/asm/thread_info.h | 13 +++++++++ arch/arm64/kernel/entry.S | 15 +++++----- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/arm64/kernel/process.c | 1 + arch/arm64/kernel/ptrace.c | 51 ++++++++++++++++++++-------------- arch/arm64/kernel/signal.c | 2 +- 8 files changed, 58 insertions(+), 36 deletions(-)
Currently syscall_trace() is called only for ptrace. With additional TIF_xx flags defined, it is now called in all the cases of audit, ftrace and seccomp in addition to ptrace.
Acked-by: Richard Guy Briggs rgb@redhat.com Acked-by: Will Deacon will.deacon@arm.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/thread_info.h | 13 +++++++++++++ arch/arm64/kernel/entry.S | 5 +++-- 2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h index 720e70b..0a8b2a9 100644 --- a/arch/arm64/include/asm/thread_info.h +++ b/arch/arm64/include/asm/thread_info.h @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void) /* * thread information flags: * TIF_SYSCALL_TRACE - syscall trace active + * TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace + * TIF_SYSCALL_AUDIT - syscall auditing + * TIF_SECOMP - syscall secure computing * TIF_SIGPENDING - signal pending * TIF_NEED_RESCHED - rescheduling necessary * TIF_NOTIFY_RESUME - callback before returning to user @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void) #define TIF_NEED_RESCHED 1 #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */ #define TIF_SYSCALL_TRACE 8 +#define TIF_SYSCALL_AUDIT 9 +#define TIF_SYSCALL_TRACEPOINT 10 +#define TIF_SECCOMP 11 #define TIF_POLLING_NRFLAG 16 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */ #define TIF_FREEZE 19 @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void) #define _TIF_SIGPENDING (1 << TIF_SIGPENDING) #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED) #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME) +#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE) +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) +#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT) +#define _TIF_SECCOMP (1 << TIF_SECCOMP) #define _TIF_32BIT (1 << TIF_32BIT)
#define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | \ _TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \ + _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP) + #endif /* __KERNEL__ */ #endif /* __ASM_THREAD_INFO_H */ diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index 39ac630..f9f2cae 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -631,8 +631,9 @@ el0_svc_naked: // compat entry point enable_irq
get_thread_info tsk - ldr x16, [tsk, #TI_FLAGS] // check for syscall tracing - tbnz x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls? + ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks + tst x16, #_TIF_SYSCALL_WORK + b.ne __sys_trace adr lr, ret_fast_syscall // return address cmp scno, sc_nr // check upper syscall limit b.hs ni_sys
As done in arm, this change makes it easy to confirm we invoke syscall related hooks, including syscall tracepoint, audit and seccomp which would be implemented later, in correct order. That is, undoing operations in the opposite order on exit that they were done on entry.
Acked-by: Will Deacon will.deacon@arm.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/kernel/entry.S | 10 ++++----- arch/arm64/kernel/ptrace.c | 50 +++++++++++++++++++++++++------------------- 2 files changed, 33 insertions(+), 27 deletions(-)
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S index f9f2cae..00d6eb9 100644 --- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -649,9 +649,8 @@ ENDPROC(el0_svc) * switches, and waiting for our parent to respond. */ __sys_trace: - mov x1, sp - mov w0, #0 // trace entry - bl syscall_trace + mov x0, sp + bl syscall_trace_enter adr lr, __sys_trace_return // return address uxtw scno, w0 // syscall number (possibly new) mov x1, sp // pointer to regs @@ -666,9 +665,8 @@ __sys_trace:
__sys_trace_return: str x0, [sp] // save returned x0 - mov x1, sp - mov w0, #1 // trace exit - bl syscall_trace + mov x0, sp + bl syscall_trace_exit b ret_to_user
/* diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..6d666dc 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request, return ptrace_request(child, request, addr, data); }
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs) +enum ptrace_syscall_dir { + PTRACE_SYSCALL_ENTER = 0, + PTRACE_SYSCALL_EXIT, +}; + +static void tracehook_report_syscall(struct pt_regs *regs, + enum ptrace_syscall_dir dir) { + int regno; unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE)) - return regs->syscallno; - - if (is_compat_task()) { - /* AArch32 uses ip (r12) for scratch */ - saved_reg = regs->regs[12]; - regs->regs[12] = dir; - } else { - /* - * Save X7. X7 is used to denote syscall entry/exit: - * X7 = 0 -> entry, = 1 -> exit - */ - saved_reg = regs->regs[7]; - regs->regs[7] = dir; - } + /* + * A scratch register (ip(r12) on AArch32, x7 on AArch64) is + * used to denote syscall entry/exit: + */ + regno = (is_compat_task() ? 12 : 7); + saved_reg = regs->regs[regno]; + regs->regs[regno] = dir;
- if (dir) + if (dir == PTRACE_SYSCALL_EXIT) tracehook_report_syscall_exit(regs, 0); else if (tracehook_report_syscall_entry(regs)) regs->syscallno = ~0UL;
- if (is_compat_task()) - regs->regs[12] = saved_reg; - else - regs->regs[7] = saved_reg; + regs->regs[regno] = saved_reg; +} + +asmlinkage int syscall_trace_enter(struct pt_regs *regs) +{ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
return regs->syscallno; } + +asmlinkage void syscall_trace_exit(struct pt_regs *regs) +{ + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT); +}
This macro, regs_return_value, is used mainly for audit to record system call's results, but may also be used in test_kprobes.c.
Acked-by: Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/ptrace.h | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index c7ba261..a429b59 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -135,6 +135,11 @@ struct pt_regs { #define user_stack_pointer(regs) \ (!compat_user_mode(regs)) ? ((regs)->sp) : ((regs)->compat_sp)
+static inline unsigned long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +} + /* * Are the current registers suitable for user mode? (used to maintain * security in signal handlers)
Some kernel files may include both linux/compat.h and asm/compat.h directly or indirectly. Since both header files contain is_compat_task() under !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail. Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is implemented).
So this patch proactively 1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h 2) replaces asm/compat.h to linux/compat.h in kernel/*.c, but asm/compat.h is still necessary in ptrace.c and process.c because they use is_compat_thread().
Acked-by: Will Deacon will.deacon@arm.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/include/asm/compat.h | 5 ----- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/arm64/kernel/process.c | 1 + arch/arm64/kernel/ptrace.c | 1 + arch/arm64/kernel/signal.c | 2 +- 5 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h index e71f81f..253e33b 100644 --- a/arch/arm64/include/asm/compat.h +++ b/arch/arm64/include/asm/compat.h @@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread)
#else /* !CONFIG_COMPAT */
-static inline int is_compat_task(void) -{ - return 0; -} - static inline int is_compat_thread(struct thread_info *thread) { return 0; diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c index bee7897..df1cf15 100644 --- a/arch/arm64/kernel/hw_breakpoint.c +++ b/arch/arm64/kernel/hw_breakpoint.c @@ -20,6 +20,7 @@
#define pr_fmt(fmt) "hw-breakpoint: " fmt
+#include <linux/compat.h> #include <linux/cpu_pm.h> #include <linux/errno.h> #include <linux/hw_breakpoint.h> @@ -27,7 +28,6 @@ #include <linux/ptrace.h> #include <linux/smp.h>
-#include <asm/compat.h> #include <asm/current.h> #include <asm/debug-monitors.h> #include <asm/hw_breakpoint.h> diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c index 6391485..ccc2a3e 100644 --- a/arch/arm64/kernel/process.c +++ b/arch/arm64/kernel/process.c @@ -20,6 +20,7 @@
#include <stdarg.h>
+#include <linux/compat.h> #include <linux/export.h> #include <linux/sched.h> #include <linux/kernel.h> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6d666dc..4b58e81 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/compat.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 890a591..4a09989 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -17,6 +17,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/compat.h> #include <linux/errno.h> #include <linux/signal.h> #include <linux/personality.h> @@ -25,7 +26,6 @@ #include <linux/tracehook.h> #include <linux/ratelimit.h>
-#include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/elf.h> #include <asm/cacheflush.h>
On Wed, Apr 30, 2014 at 10:51:28AM +0100, AKASHI Takahiro wrote:
AKASHI Takahiro (4): arm64: make a single hook to syscall_trace() for all syscall features arm64: split syscall_trace() into separate functions for enter/exit arm64: Add regs_return_value() in syscall.h arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h
Patches picked by Will and applied to the arm64 for-next/core branch (should appear in -next at some point).
Thanks.
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly: * "generic compat system call audit support" patch * "correct a type mismatch in audit_syscall_exit()" patch (already accepted and queued in 3.14) * "Modify a set of system calls in audit class" patch (already accepted and queued in 3.14) * "__NR_* definitions for compat syscalls" patch from Catalin * "make a single hook to syscall_trace() for all syscall features" patch * userspace audit tool (v2.3.2 + my patch for arm64)
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways: 1) basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
2) audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v1 -> v2: * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h. * Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6] * Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
Changes v2 -> v3: * Remove asm/audit.h. See "generic compat syscall audit support" patch v4 * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB. * Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v3 -> v4: * Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features"
AKASHI Takahiro (3): arm64: Add regs_return_value() in syscall.h arm64: Add audit support arm64: audit: Add audit hook in ptrace/syscall_trace
arch/arm64/Kconfig | 1 + arch/arm64/include/asm/ptrace.h | 5 +++++ arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ arch/arm64/kernel/ptrace.c | 7 +++++++ include/uapi/linux/audit.h | 1 + 5 files changed, 29 insertions(+)
This macro, regs_return_value, is used mainly for audit to record system call's results, but may also be used in test_kprobes.c.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by Will Deacon will.deacon@arm.com --- arch/arm64/include/asm/ptrace.h | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 0e7fa49..5800ec1 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -134,6 +134,11 @@ struct pt_regs { #define user_stack_pointer(regs) \ ((regs)->sp)
+static inline unsigned long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +} + /* * Are the current registers suitable for user mode? (used to maintain * security in signal handlers)
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by Will Deacon will.deacon@arm.com --- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 17 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index dd4327f..a21455e 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -25,6 +25,7 @@ config ARM64 select GENERIC_STRNLEN_USER select GENERIC_TIME_VSYSCALL select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_TRACEHOOK select HAVE_DEBUG_BUGVERBOSE diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 70ba9d4..6900183 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,9 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <linux/audit.h> #include <linux/err.h> +#include <asm/compat.h>
static inline int syscall_get_nr(struct task_struct *task, @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+/* + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because + * AArch64 has the same system calls both on little- and big- endian. + */ +static inline int syscall_get_arch(struct task_struct *task, + struct pt_regs *regs) +{ + if (is_compat_thread(task_thread_info(task))) + return AUDIT_ARCH_ARM; + + return AUDIT_ARCH_AARCH64; +} + #endif /* __ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 624df43..aa86fab 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -333,6 +333,7 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM)
This patch adds auditing functions on entry to or exit from every system call invocation.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/kernel/ptrace.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 64ce39f..8cdba09 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1076,10 +1078,15 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) }
if (dir) { + audit_syscall_exit(regs); tracehook_report_syscall_exit(regs, 0); } else { if (tracehook_report_syscall_entry(regs)) regs->syscallno = ~0UL; + audit_syscall_entry(syscall_get_arch(current, regs), + (int)regs->syscallno, + regs->orig_x0, regs->regs[1], + regs->regs[2], regs->regs[3]); }
if (is_compat_task())
On Fri, Feb 07, 2014 at 10:10:03AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/kernel/ptrace.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 64ce39f..8cdba09 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@
- along with this program. If not, see http://www.gnu.org/licenses/.
*/ +#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h> @@ -1076,10 +1078,15 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) } if (dir) {
audit_syscall_exit(regs);audit_syscall_entry(syscall_get_arch(current, regs),(int)regs->syscallno,regs->orig_x0, regs->regs[1],regs->regs[2], regs->regs[3]);
Again, I don't think we should just lump tracehook and audit together like this without checking the flags (see my reply to the previous patch series).
Will
On 14/02/07, AKASHI Takahiro wrote:
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly:
- "generic compat system call audit support" patch
- "correct a type mismatch in audit_syscall_exit()" patch (already accepted and queued in 3.14)
- "Modify a set of system calls in audit class" patch (already accepted and queued in 3.14)
- "__NR_* definitions for compat syscalls" patch from Catalin
- "make a single hook to syscall_trace() for all syscall features" patch
- userspace audit tool (v2.3.2 + my patch for arm64)
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways:
- basic operations with auditctl/autrace
# auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
- audit-test-code (+ my workarounds for arm/arm64)
by running "audit-tool", "filter" and "syscalls" test categories.
Changes v1 -> v2:
- Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h.
- Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6]
- Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
Changes v2 -> v3:
- Remove asm/audit.h. See "generic compat syscall audit support" patch v4
- Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
- Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v3 -> v4:
- Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features"
AKASHI Takahiro (3): arm64: Add regs_return_value() in syscall.h arm64: Add audit support arm64: audit: Add audit hook in ptrace/syscall_trace
arch/arm64/Kconfig | 1 + arch/arm64/include/asm/ptrace.h | 5 +++++ arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ arch/arm64/kernel/ptrace.c | 7 +++++++ include/uapi/linux/audit.h | 1 + 5 files changed, 29 insertions(+)
Compile and regression tested on: ppc s390 x86_64 ppc64 i686 s390x.
Acked-by: Richard Guy Briggs rgb@redhat.com
-- 1.7.9.5
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly: * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch * "generic compat system call audit support" patch * "__NR_* definitions for compat syscalls" patch from Catalin * "make a single hook to syscall_trace() for all syscall features" patch * userspace audit tool (v2.3.2 + my patch for arm64)
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways: 1) basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
2) audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v1 -> v2: * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h. * Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6] * Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
Changes v2 -> v3: * Remove asm/audit.h. See "generic compat syscall audit support" patch v4 * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB. * Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v3 -> v4: * Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features" * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
Changes v4 -> v5: * rebased to 3.14-rcX * added a guard against TIF_SYSCALL_AUDIT [3/3] * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v2 [3/3]
AKASHI Takahiro (3): arm64: Add regs_return_value() in syscall.h arm64: Add audit support arm64: audit: Add audit hook in ptrace/syscall_trace
arch/arm64/Kconfig | 1 + arch/arm64/include/asm/ptrace.h | 5 +++++ arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ arch/arm64/kernel/ptrace.c | 11 +++++++++++ include/uapi/linux/audit.h | 1 + 5 files changed, 33 insertions(+)
This macro, regs_return_value, is used mainly for audit to record system call's results, but may also be used in test_kprobes.c.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com --- arch/arm64/include/asm/ptrace.h | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h index 0e7fa49..5800ec1 100644 --- a/arch/arm64/include/asm/ptrace.h +++ b/arch/arm64/include/asm/ptrace.h @@ -134,6 +134,11 @@ struct pt_regs { #define user_stack_pointer(regs) \ ((regs)->sp)
+static inline unsigned long regs_return_value(struct pt_regs *regs) +{ + return regs->regs[0]; +} + /* * Are the current registers suitable for user mode? (used to maintain * security in signal handlers)
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com --- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 17 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 27bbcfc..aa47548 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -25,6 +25,7 @@ config ARM64 select GENERIC_STRNLEN_USER select GENERIC_TIME_VSYSCALL select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_TRACEHOOK select HAVE_DEBUG_BUGVERBOSE diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 70ba9d4..6900183 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,9 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <linux/audit.h> #include <linux/err.h> +#include <asm/compat.h>
static inline int syscall_get_nr(struct task_struct *task, @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+/* + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because + * AArch64 has the same system calls both on little- and big- endian. + */ +static inline int syscall_get_arch(struct task_struct *task, + struct pt_regs *regs) +{ + if (is_compat_thread(task_thread_info(task))) + return AUDIT_ARCH_ARM; + + return AUDIT_ARCH_AARCH64; +} + #endif /* __ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 624df43..aa86fab 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -333,6 +333,7 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM)
This patch adds auditing functions on entry to or exit from every system call invocation.
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org Acked-by: Richard Guy Briggs rgb@redhat.com --- arch/arm64/kernel/ptrace.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index c70133e..d4ce70e 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1062,6 +1064,9 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
+ if (dir && test_thread_flag(TIF_SYSCALL_AUDIT)) + audit_syscall_exit(regs); + if (test_thread_flag(TIF_SYSCALL_TRACE)) { if (is_compat_task()) { /* AArch32 uses ip (r12) for scratch */ @@ -1087,5 +1092,11 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) regs->regs[7] = saved_reg; }
+ if (!dir && test_thread_flag(TIF_SYSCALL_AUDIT)) + audit_syscall_entry(syscall_get_arch(current, regs), + (int)regs->syscallno, + regs->orig_x0, regs->regs[1], + regs->regs[2], regs->regs[3]); + return regs->syscallno; }
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly: * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch * "generic compat system call audit support" patch * "__NR_* definitions for compat syscalls" patch from Catalin * "make a single hook to syscall_trace() for all syscall features" patch * "arm64: Add regs_return_value() in syscall.h" patch * userspace audit tool (v2.3.2 + my patch for arm64)
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways: 1) basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
2) audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v1 -> v2: * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h. * Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6] * Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
Changes v2 -> v3: * Remove asm/audit.h. See "generic compat syscall audit support" patch v4 * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB. * Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v3 -> v4: * Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features" * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
Changes v4 -> v5: * rebased to 3.14-rcX * added a guard against TIF_SYSCALL_AUDIT [3/3] * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v2 [3/3]
Changes v5 -> v6: * removed and put "arm64: Add regs_return_value() in syscall.h" patch into a separate set * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v3 [1/2]
AKASHI Takahiro (2): arm64: Add audit support arm64: audit: Add audit hook in ptrace/syscall_trace
arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++ arch/arm64/kernel/ptrace.c | 54 ++++++++++++++++++++++---------------- include/uapi/linux/audit.h | 1 + 4 files changed, 49 insertions(+), 22 deletions(-)
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 17 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 27bbcfc..aa47548 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -25,6 +25,7 @@ config ARM64 select GENERIC_STRNLEN_USER select GENERIC_TIME_VSYSCALL select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_TRACEHOOK select HAVE_DEBUG_BUGVERBOSE diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 70ba9d4..6900183 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,9 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <linux/audit.h> #include <linux/err.h> +#include <asm/compat.h>
static inline int syscall_get_nr(struct task_struct *task, @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+/* + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because + * AArch64 has the same system calls both on little- and big- endian. + */ +static inline int syscall_get_arch(struct task_struct *task, + struct pt_regs *regs) +{ + if (is_compat_thread(task_thread_info(task))) + return AUDIT_ARCH_ARM; + + return AUDIT_ARCH_AARCH64; +} + #endif /* __ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 624df43..aa86fab 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -333,6 +333,7 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM)
On 14/02/28, AKASHI Takahiro wrote:
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 17 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 27bbcfc..aa47548 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -25,6 +25,7 @@ config ARM64 select GENERIC_STRNLEN_USER select GENERIC_TIME_VSYSCALL select HARDIRQS_SW_RESEND
- select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_TRACEHOOK select HAVE_DEBUG_BUGVERBOSE
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 70ba9d4..6900183 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,9 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H +#include <linux/audit.h>
This could be changed to <uapi/linux/audit.h> to pick up the AUDIT_ARCH_* definitions needed and not any of the audit kernel funcitons.
#include <linux/err.h> +#include <asm/compat.h> static inline int syscall_get_nr(struct task_struct *task, @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); } +/*
- We don't care about endianness (__AUDIT_ARCH_LE bit) here because
- AArch64 has the same system calls both on little- and big- endian.
- */
+static inline int syscall_get_arch(struct task_struct *task,
struct pt_regs *regs)+{
- if (is_compat_thread(task_thread_info(task)))
return AUDIT_ARCH_ARM;- return AUDIT_ARCH_AARCH64;
+}
#endif /* __ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 624df43..aa86fab 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -333,6 +333,7 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_ARMEB (EM_ARM)
1.7.9.5
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On 03/05/2014 11:50 AM, Richard Guy Briggs wrote:
On 14/02/28, AKASHI Takahiro wrote:
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 17 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 27bbcfc..aa47548 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -25,6 +25,7 @@ config ARM64 select GENERIC_STRNLEN_USER select GENERIC_TIME_VSYSCALL select HARDIRQS_SW_RESEND
- select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_TRACEHOOK select HAVE_DEBUG_BUGVERBOSE
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 70ba9d4..6900183 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,9 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <linux/audit.h>
This could be changed to <uapi/linux/audit.h> to pick up the AUDIT_ARCH_* definitions needed and not any of the audit kernel funcitons.
I will fix it in the next version.
Thank you, -Takahiro AKASHI
#include <linux/err.h> +#include <asm/compat.h>
static inline int syscall_get_nr(struct task_struct *task, @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+/*
- We don't care about endianness (__AUDIT_ARCH_LE bit) here because
- AArch64 has the same system calls both on little- and big- endian.
- */
+static inline int syscall_get_arch(struct task_struct *task,
struct pt_regs *regs)+{
- if (is_compat_thread(task_thread_info(task)))
return AUDIT_ARCH_ARM;- return AUDIT_ARCH_AARCH64;
+}
- #endif /* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 624df43..aa86fab 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -333,6 +333,7 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_ARMEB (EM_ARM)
1.7.9.5
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/kernel/ptrace.c | 54 ++++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 22 deletions(-)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 6a8928b..d4ce70e 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1062,31 +1064,39 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs) { unsigned long saved_reg;
- if (!test_thread_flag(TIF_SYSCALL_TRACE)) - return regs->syscallno; + if (dir && test_thread_flag(TIF_SYSCALL_AUDIT)) + audit_syscall_exit(regs); + + if (test_thread_flag(TIF_SYSCALL_TRACE)) { + if (is_compat_task()) { + /* AArch32 uses ip (r12) for scratch */ + saved_reg = regs->regs[12]; + regs->regs[12] = dir; + } else { + /* + * Save X7. X7 is used to denote syscall entry/exit: + * X7 = 0 -> entry, = 1 -> exit + */ + saved_reg = regs->regs[7]; + regs->regs[7] = dir; + }
- if (is_compat_task()) { - /* AArch32 uses ip (r12) for scratch */ - saved_reg = regs->regs[12]; - regs->regs[12] = dir; - } else { - /* - * Save X7. X7 is used to denote syscall entry/exit: - * X7 = 0 -> entry, = 1 -> exit - */ - saved_reg = regs->regs[7]; - regs->regs[7] = dir; - } + if (dir) + tracehook_report_syscall_exit(regs, 0); + else if (tracehook_report_syscall_entry(regs)) + regs->syscallno = ~0UL;
- if (dir) - tracehook_report_syscall_exit(regs, 0); - else if (tracehook_report_syscall_entry(regs)) - regs->syscallno = ~0UL; + if (is_compat_task()) + regs->regs[12] = saved_reg; + else + regs->regs[7] = saved_reg; + }
- if (is_compat_task()) - regs->regs[12] = saved_reg; - else - regs->regs[7] = saved_reg; + if (!dir && test_thread_flag(TIF_SYSCALL_AUDIT)) + audit_syscall_entry(syscall_get_arch(current, regs), + (int)regs->syscallno, + regs->orig_x0, regs->regs[1], + regs->regs[2], regs->regs[3]);
return regs->syscallno; }
On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/kernel/ptrace.c | 54 ++++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 22 deletions(-)
I think you need to do something like I did for arch/arm/, where we have separate trace functions for entry/exit to make sure that we invoke the various helpers in the correct order (for example, you want to invoke all the debug stuff *first* on entry, but *last* on exit).
Will
On 14/02/28, Will Deacon wrote:
On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/kernel/ptrace.c | 54 ++++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 22 deletions(-)
I think you need to do something like I did for arch/arm/, where we have separate trace functions for entry/exit to make sure that we invoke the various helpers in the correct order (for example, you want to invoke all the debug stuff *first* on entry, but *last* on exit).
I'd have to agree. I've just had my head deep in audit_syscall_entry() and syscall_get_arch to clean them up. Since current is only ever fed to syscall_get_arch() and regs is never used by syscall_get_arch(), I'm looking at dropping both from the syscall_get_arch() args list, but leave syscall_get_arch() as you have it for now.
Will
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
On 03/01/2014 01:15 AM, Will Deacon wrote:
On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/kernel/ptrace.c | 54 ++++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 22 deletions(-)
I think you need to do something like I did for arch/arm/, where we have separate trace functions for entry/exit to make sure that we invoke the various helpers in the correct order (for example, you want to invoke all the debug stuff *first* on entry, but *last* on exit).
Will
If you mean syscall_trace_enter()/exit(), I will follow your suggestion for readability.
-Takahiro AKASHI
On 14/03/06, AKASHI Takahiro wrote:
On 03/01/2014 01:15 AM, Will Deacon wrote:
On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
arch/arm64/kernel/ptrace.c | 54 ++++++++++++++++++++++++++------------------ 1 file changed, 32 insertions(+), 22 deletions(-)
I think you need to do something like I did for arch/arm/, where we have separate trace functions for entry/exit to make sure that we invoke the various helpers in the correct order (for example, you want to invoke all the debug stuff *first* on entry, but *last* on exit).
Will
If you mean syscall_trace_enter()/exit(), I will follow your suggestion for readability.
It isn't so much a question of readability, but rather correctness, undoing operations in the opposite order on exit that they were done on entry.
-Takahiro AKASHI
- RGB
-- Richard Guy Briggs rbriggs@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
(Please apply this patch after my ftrace patch to resolve some conflict on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly: * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch * "audit: generic compat system call audit support" patch * "arm64: __NR_* definitions for compat syscalls" patch from Catalin * "arm64: make a single hook to syscall_trace() for all syscall features" patch * "arm64: split syscall_trace() into separate functions for enter/exit" patch * "arm64: Add regs_return_value() in syscall.h" patch * userspace audit tool (v2.3.2 + my patch for arm64)
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways: 1) basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
2) audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v6 -> v7: * changed an include file in syscall.h from <linux/audit.h> to <uapi/linux/audit.h> [1/2] * aligned with the patch, "arm64: split syscall_trace() into separate functions for enter/exit" [2/2]
Changes v5 -> v6: * removed and put "arm64: Add regs_return_value() in syscall.h" patch into a separate set * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v3 [1/2]
Changes v4 -> v5: * rebased to 3.14-rcX * added a guard against TIF_SYSCALL_AUDIT [3/3] * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v2 [3/3]
Changes v3 -> v4: * Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features" * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
Changes v2 -> v3: * Remove asm/audit.h. See "generic compat syscall audit support" patch v4 * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB. * Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v1 -> v2: * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h. * Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6] * Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
AKASHI Takahiro (2): arm64: Add audit support arm64: audit: Add audit hook in syscall_trace_enter/exit()
arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ arch/arm64/kernel/ptrace.c | 7 +++++++ include/uapi/linux/audit.h | 1 + 4 files changed, 24 insertions(+)
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 17 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index b1dcdb4..7ca6799 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -25,6 +25,7 @@ config ARM64 select GENERIC_STRNLEN_USER select GENERIC_TIME_VSYSCALL select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_TRACEHOOK select HAVE_C_RECORDMCOUNT diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 383771e..ce3882f 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,9 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <uapi/linux/audit.h> #include <linux/err.h> +#include <asm/compat.h>
extern const void *sys_call_table[];
@@ -105,4 +107,17 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+/* + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because + * AArch64 has the same system calls both on little- and big- endian. + */ +static inline int syscall_get_arch(struct task_struct *task, + struct pt_regs *regs) +{ + if (is_compat_thread(task_thread_info(task))) + return AUDIT_ARCH_ARM; + + return AUDIT_ARCH_AARCH64; +} + #endif /* __ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 624df43..aa86fab 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -333,6 +333,7 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM)
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/kernel/ptrace.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 9c52b3e..d10c637 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/audit.h> #include <linux/kernel.h> #include <linux/sched.h> #include <linux/mm.h> @@ -38,6 +39,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1091,6 +1093,9 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, regs->syscallno);
+ audit_syscall_entry(syscall_get_arch(current, regs), regs->syscallno, + regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]); + return regs->syscallno; }
@@ -1098,6 +1103,8 @@ asmlinkage void syscall_trace_exit(struct pt_regs *regs) { unsigned long saved_reg;
+ audit_syscall_exit(regs); + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_exit(regs, regs_return_value(regs));
On Thu, Mar 13, 2014 at 10:16:07AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
Acked-by: Will Deacon will.deacon@arm.com
Will
(Please apply this patch after my ftrace patch to resolve some conflict on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly: * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch * "audit: generic compat system call audit support" patch * "arm64: __NR_* definitions for compat syscalls" patch from Catalin * "arm64: make a single hook to syscall_trace() for all syscall features" patch * "arm64: split syscall_trace() into separate functions for enter/exit" patch * "arm64: Add regs_return_value() in syscall.h" patch * "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h" patch * userspace audit tool (v2.3.2 + my patch for arm64)
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways: 1) basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
2) audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v7 -> v8: * aligned with the change in "audit: generic compat system call audit support" v5 [1/2] * aligned with the change in "arm64: split syscall_trace() into separate functions for enter/exit" v5 [2/2]
Changes v6 -> v7: * changed an include file in syscall.h from <linux/audit.h> to <uapi/linux/audit.h> [1/2] * aligned with the patch, "arm64: split syscall_trace() into separate functions for enter/exit" [2/2]
Changes v5 -> v6: * removed and put "arm64: Add regs_return_value() in syscall.h" patch into a separate set * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v3 [1/2]
Changes v4 -> v5: * rebased to 3.14-rcX * added a guard against TIF_SYSCALL_AUDIT [3/3] * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v2 [3/3]
Changes v3 -> v4: * Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features" * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
Changes v2 -> v3: * Remove asm/audit.h. See "generic compat syscall audit support" patch v4 * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB. * Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v1 -> v2: * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h. * Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6] * Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
AKASHI Takahiro (2): arm64: Add audit support arm64: audit: Add audit hook in syscall_trace_enter/exit()
arch/arm64/Kconfig | 2 ++ arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ arch/arm64/kernel/ptrace.c | 7 +++++++ include/uapi/linux/audit.h | 1 + 4 files changed, 25 insertions(+)
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/Kconfig | 2 ++ arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 18 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index b1dcdb4..7c1f8c7 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -9,6 +9,7 @@ config ARM64 select ARM_AMBA select ARM_ARCH_TIMER select ARM_GIC + select AUDIT_ARCH_COMPAT_GENERIC select BUILDTIME_EXTABLE_SORT select CLONE_BACKWARDS select COMMON_CLK @@ -25,6 +26,7 @@ config ARM64 select GENERIC_STRNLEN_USER select GENERIC_TIME_VSYSCALL select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_TRACEHOOK select HAVE_C_RECORDMCOUNT diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 383771e..ce3882f 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,7 +16,9 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <uapi/linux/audit.h> #include <linux/err.h> +#include <asm/compat.h>
extern const void *sys_call_table[];
@@ -105,4 +107,17 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+/* + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because + * AArch64 has the same system calls both on little- and big- endian. + */ +static inline int syscall_get_arch(struct task_struct *task, + struct pt_regs *regs) +{ + if (is_compat_thread(task_thread_info(task))) + return AUDIT_ARCH_ARM; + + return AUDIT_ARCH_AARCH64; +} + #endif /* __ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 624df43..aa86fab 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -333,6 +333,7 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM)
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/kernel/ptrace.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 3ee76ed..f9e1339 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/audit.h> #include <linux/compat.h> #include <linux/kernel.h> #include <linux/sched.h> @@ -39,6 +40,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1097,11 +1099,16 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, regs->syscallno);
+ audit_syscall_entry(syscall_get_arch(current, regs), regs->syscallno, + regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]); + return regs->syscallno; }
asmlinkage void syscall_trace_exit(struct pt_regs *regs) { + audit_syscall_exit(regs); + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_exit(regs, regs_return_value(regs));
On Sat, Mar 15, 2014 at 05:49:08AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
I think I already acked this patch.
Will
On 04/16/2014 08:30 PM, Will Deacon wrote:
On Sat, Mar 15, 2014 at 05:49:08AM +0000, AKASHI Takahiro wrote:
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org
I think I already acked this patch.
Oh, yeah? Thanks. -Takahiro AKASHI
Will
On 03/15/2014 01:49 AM, AKASHI Takahiro wrote:
(Please apply this patch after my ftrace patch to resolve some conflict on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly:
- "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
- "audit: generic compat system call audit support" patch
- "arm64: __NR_* definitions for compat syscalls" patch from Catalin
- "arm64: make a single hook to syscall_trace() for all syscall features" patch
- "arm64: split syscall_trace() into separate functions for enter/exit" patch
- "arm64: Add regs_return_value() in syscall.h" patch
- "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h" patch
- userspace audit tool (v2.3.2 + my patch for arm64)
and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c without the patch from [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint; My question: do you need all 7 patches from arm64: Add ftrace support as well for this audit patch to work, or just this 7/7 patch ?
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways:
basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v7 -> v8:
- aligned with the change in "audit: generic compat system call audit support" v5 [1/2]
- aligned with the change in "arm64: split syscall_trace() into separate functions for enter/exit" v5 [2/2]
Changes v6 -> v7:
- changed an include file in syscall.h from <linux/audit.h> to <uapi/linux/audit.h> [1/2]
- aligned with the patch, "arm64: split syscall_trace() into separate functions for enter/exit" [2/2]
Changes v5 -> v6:
- removed and put "arm64: Add regs_return_value() in syscall.h" patch into a separate set
- aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v3 [1/2]
Changes v4 -> v5:
- rebased to 3.14-rcX
- added a guard against TIF_SYSCALL_AUDIT [3/3]
- aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v2 [3/3]
Changes v3 -> v4:
- Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features"
- aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
Changes v2 -> v3:
- Remove asm/audit.h. See "generic compat syscall audit support" patch v4
- Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
- Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v1 -> v2:
- Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h.
- Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6]
- Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
AKASHI Takahiro (2): arm64: Add audit support arm64: audit: Add audit hook in syscall_trace_enter/exit()
arch/arm64/Kconfig | 2 ++ arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ arch/arm64/kernel/ptrace.c | 7 +++++++ include/uapi/linux/audit.h | 1 + 4 files changed, 25 insertions(+)
Hi Don,
Sorry for not responding to you soon:
On 04/12/2014 06:37 AM, Don Dutile wrote:
On 03/15/2014 01:49 AM, AKASHI Takahiro wrote:
(Please apply this patch after my ftrace patch to resolve some conflict on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly:
- "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
- "audit: generic compat system call audit support" patch
- "arm64: __NR_* definitions for compat syscalls" patch from Catalin
- "arm64: make a single hook to syscall_trace() for all syscall features" patch
- "arm64: split syscall_trace() into separate functions for enter/exit" patch
- "arm64: Add regs_return_value() in syscall.h" patch
- "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h" patch
- userspace audit tool (v2.3.2 + my patch for arm64)
and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c without the patch from [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint; My question: do you need all 7 patches from arm64: Add ftrace support as well for this audit patch to work, or just this 7/7 patch ?
Functionally, my audit patch should work without ftrace patchset, but as described in ftrace's [0/7] and audit's [0/2], audit's [2/2] assumes that ftrace patchset, especially [7/7], has been applied in order to avoid any conflict when making changes on the same line of ptrace.c.
Thanks, -Takahiro AKASHI
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways:
basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v7 -> v8:
- aligned with the change in "audit: generic compat system call audit support" v5 [1/2]
- aligned with the change in "arm64: split syscall_trace() into separate functions for enter/exit" v5 [2/2]
Changes v6 -> v7:
- changed an include file in syscall.h from <linux/audit.h> to <uapi/linux/audit.h> [1/2]
- aligned with the patch, "arm64: split syscall_trace() into separate functions for enter/exit" [2/2]
Changes v5 -> v6:
- removed and put "arm64: Add regs_return_value() in syscall.h" patch into a separate set
- aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v3 [1/2]
Changes v4 -> v5:
- rebased to 3.14-rcX
- added a guard against TIF_SYSCALL_AUDIT [3/3]
- aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v2 [3/3]
Changes v3 -> v4:
- Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features"
- aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
Changes v2 -> v3:
- Remove asm/audit.h. See "generic compat syscall audit support" patch v4
- Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
- Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v1 -> v2:
- Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h.
- Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6]
- Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
AKASHI Takahiro (2): arm64: Add audit support arm64: audit: Add audit hook in syscall_trace_enter/exit()
arch/arm64/Kconfig | 2 ++ arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ arch/arm64/kernel/ptrace.c | 7 +++++++ include/uapi/linux/audit.h | 1 + 4 files changed, 25 insertions(+)
On 04/28/2014 05:51 AM, AKASHI Takahiro wrote:
Hi Don,
Sorry for not responding to you soon:
been there, done that! .. no problem..
On 04/12/2014 06:37 AM, Don Dutile wrote:
On 03/15/2014 01:49 AM, AKASHI Takahiro wrote:
(Please apply this patch after my ftrace patch to resolve some conflict on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly:
- "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
- "audit: generic compat system call audit support" patch
- "arm64: __NR_* definitions for compat syscalls" patch from Catalin
- "arm64: make a single hook to syscall_trace() for all syscall features" patch
- "arm64: split syscall_trace() into separate functions for enter/exit" patch
- "arm64: Add regs_return_value() in syscall.h" patch
- "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h" patch
- userspace audit tool (v2.3.2 + my patch for arm64)
and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c without the patch from [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint; My question: do you need all 7 patches from arm64: Add ftrace support as well for this audit patch to work, or just this 7/7 patch ?
Functionally, my audit patch should work without ftrace patchset, but as described in ftrace's [0/7] and audit's [0/2], audit's [2/2] assumes that ftrace patchset, especially [7/7], has been applied in order to avoid any conflict when making changes on the same line of ptrace.c.
Thanks, -Takahiro AKASHI
just a nit for others to see/know if they were having the same fun of backporting these patches to work on an existing kernel w/o ftrace patch set.
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways:
basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v7 -> v8:
- aligned with the change in "audit: generic compat system call audit support" v5 [1/2]
- aligned with the change in "arm64: split syscall_trace() into separate functions for enter/exit" v5 [2/2]
Changes v6 -> v7:
- changed an include file in syscall.h from <linux/audit.h> to <uapi/linux/audit.h> [1/2]
- aligned with the patch, "arm64: split syscall_trace() into separate functions for enter/exit" [2/2]
Changes v5 -> v6:
- removed and put "arm64: Add regs_return_value() in syscall.h" patch into a separate set
- aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v3 [1/2]
Changes v4 -> v5:
- rebased to 3.14-rcX
- added a guard against TIF_SYSCALL_AUDIT [3/3]
- aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v2 [3/3]
Changes v3 -> v4:
- Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features"
- aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
Changes v2 -> v3:
- Remove asm/audit.h. See "generic compat syscall audit support" patch v4
- Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
- Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v1 -> v2:
- Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h.
- Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6]
- Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
AKASHI Takahiro (2): arm64: Add audit support arm64: audit: Add audit hook in syscall_trace_enter/exit()
arch/arm64/Kconfig | 2 ++ arch/arm64/include/asm/syscall.h | 15 +++++++++++++++ arch/arm64/kernel/ptrace.c | 7 +++++++ include/uapi/linux/audit.h | 1 + 4 files changed, 25 insertions(+)
-- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
(This patchset was already acked by the maintainer, but now re-submitted since it needs to be modified due to rebase to 3.15. See below)
(Please apply this patch after my ftrace patch to resolve some conflict on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
This patchset adds system call audit support on arm64. Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64) are supported. Since arm64 has the exact same set of system calls on LE and BE, we don't care about endianness (or more specifically __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
There are some prerequisites for this patch to work correctly: * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch * "audit: generic compat system call audit support" patch * "arm64: __NR_* definitions for compat syscalls" patch from Catalin * "arm64: make a single hook to syscall_trace() for all syscall features" patch * "arm64: split syscall_trace() into separate functions for enter/exit" patch * "arm64: Add regs_return_value() in syscall.h" patch * "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h" patch * userspace audit tool (v2.3.6)
Please review them as well for better understandings.
This code was tested on both 32-bit and 64-bit LE userland in the following two ways: 1) basic operations with auditctl/autrace # auditctl -a exit,always -S openat -F path=/etc/inittab # auditctl -a exit,always -F dir=/tmp -F perm=rw # auditctl -a task,always # autrace /bin/ls by comparing output from autrace with one from strace
2) audit-test-code (+ my workarounds for arm/arm64) by running "audit-tool", "filter" and "syscalls" test categories.
Changes v8 -> v9: * rebased on 3.15-rc, especially due to the change of syscall_get_arch() interface [1,2/2]
Changes v7 -> v8: * aligned with the change in "audit: generic compat system call audit support" v5 [1/2] * aligned with the change in "arm64: split syscall_trace() into separate functions for enter/exit" v5 [2/2]
Changes v6 -> v7: * changed an include file in syscall.h from <linux/audit.h> to <uapi/linux/audit.h> [1/2] * aligned with the patch, "arm64: split syscall_trace() into separate functions for enter/exit" [2/2]
Changes v5 -> v6: * removed and put "arm64: Add regs_return_value() in syscall.h" patch into a separate set * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v3 [1/2]
Changes v4 -> v5: * rebased to 3.14-rcX * added a guard against TIF_SYSCALL_AUDIT [3/3] * aligned with the change in "arm64: make a single hook to syscall_trace() for all syscall features" v2 [3/3]
Changes v3 -> v4: * Modified to sync with the patch, "make a single hook to syscall_trace() for all syscall features" * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
Changes v2 -> v3: * Remove asm/audit.h. See "generic compat syscall audit support" patch v4 * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB. * Remove kernel/syscalls/Makefile which was used to create unistd32.h. See Catalin's "Add __NR_* definitions for compat syscalls" patch
Changes v1 -> v2: * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6] Please note that a required header, unistd_32.h, is automatically generated from unistd32.h. * Refer to regs->orig_x0 instead of regs->x0 as the first argument of system call in audit_syscall_entry() [6/6] * Include "Add regs_return_value() in syscall.h" patch [2/6], which was not intentionally included in v1 because it could be added by "kprobes support".
AKASHI Takahiro (2): arm64: Add audit support arm64: audit: Add audit hook in syscall_trace_enter/exit()
arch/arm64/Kconfig | 2 ++ arch/arm64/include/asm/syscall.h | 14 ++++++++++++++ arch/arm64/kernel/ptrace.c | 7 +++++++ include/uapi/linux/audit.h | 1 + 4 files changed, 24 insertions(+)
On AArch64, audit is supported through generic lib/audit.c and compat_audit.c, and so this patch adds arch specific definitions required.
Acked-by Will Deacon will.deacon@arm.com Acked-by: Richard Guy Briggs rgb@redhat.com Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/Kconfig | 2 ++ arch/arm64/include/asm/syscall.h | 14 ++++++++++++++ include/uapi/linux/audit.h | 1 + 3 files changed, 17 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 0e9b8ce..0d3a003 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -9,6 +9,7 @@ config ARM64 select ARM_AMBA select ARM_ARCH_TIMER select ARM_GIC + select AUDIT_ARCH_COMPAT_GENERIC select BUILDTIME_EXTABLE_SORT select CLONE_BACKWARDS select COMMON_CLK @@ -27,6 +28,7 @@ config ARM64 select GENERIC_STRNLEN_USER select GENERIC_TIME_VSYSCALL select HARDIRQS_SW_RESEND + select HAVE_ARCH_AUDITSYSCALL select HAVE_ARCH_JUMP_LABEL select HAVE_ARCH_KGDB select HAVE_ARCH_TRACEHOOK diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h index 383771e..709a574 100644 --- a/arch/arm64/include/asm/syscall.h +++ b/arch/arm64/include/asm/syscall.h @@ -16,6 +16,8 @@ #ifndef __ASM_SYSCALL_H #define __ASM_SYSCALL_H
+#include <uapi/linux/audit.h> +#include <linux/compat.h> #include <linux/err.h>
extern const void *sys_call_table[]; @@ -105,4 +107,16 @@ static inline void syscall_set_arguments(struct task_struct *task, memcpy(®s->regs[i], args, n * sizeof(args[0])); }
+/* + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because + * AArch64 has the same system calls both on little- and big- endian. + */ +static inline int syscall_get_arch(void) +{ + if (is_compat_task()) + return AUDIT_ARCH_ARM; + + return AUDIT_ARCH_AARCH64; +} + #endif /* __ASM_SYSCALL_H */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 11917f7..e7df2e3 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -334,6 +334,7 @@ enum { /* distinguish syscall tables */ #define __AUDIT_ARCH_64BIT 0x80000000 #define __AUDIT_ARCH_LE 0x40000000 +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) #define AUDIT_ARCH_ARMEB (EM_ARM)
This patch adds auditing functions on entry to or exit from every system call invocation.
Acked-by: Richard Guy Briggs rgb@redhat.com Acked-by Will Deacon will.deacon@arm.com
Signed-off-by: AKASHI Takahiro takahiro.akashi@linaro.org --- arch/arm64/kernel/ptrace.c | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c index 0bf1955..0568dc9 100644 --- a/arch/arm64/kernel/ptrace.c +++ b/arch/arm64/kernel/ptrace.c @@ -19,6 +19,7 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */
+#include <linux/audit.h> #include <linux/compat.h> #include <linux/kernel.h> #include <linux/sched.h> @@ -39,6 +40,7 @@ #include <asm/compat.h> #include <asm/debug-monitors.h> #include <asm/pgtable.h> +#include <asm/syscall.h> #include <asm/traps.h> #include <asm/system_misc.h>
@@ -1097,11 +1099,16 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs) if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_enter(regs, regs->syscallno);
+ audit_syscall_entry(syscall_get_arch(), regs->syscallno, + regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]); + return regs->syscallno; }
asmlinkage void syscall_trace_exit(struct pt_regs *regs) { + audit_syscall_exit(regs); + if (test_thread_flag(TIF_SYSCALL_TRACEPOINT)) trace_sys_exit(regs, regs_return_value(regs));
linaro-kernel@lists.linaro.org
-
AKASHI Takahiro -
Catalin Marinas -
Don Dutile -
Matt Turner -
Michael Ellerman -
Richard Guy Briggs -
Will Deacon