audit syscall information.

[David Woodhouse]

For some system calls, the arguments are passed as structures or strings
in userspace memory, and only the _pointer_ is passed in the registers
as an argument to the syscall. 

In this case, the current audit code will log the _pointer_ which is
given, but will not show the _contents_ of the memory to which that
pointer refers.

The IPC calls are one specific instance of a case where I have already
inserted a hook to log the contents of the userspace structure instead
of just the pointer. 

Two weeks ago on our conference call, I asked if there were any other
syscalls where I should add similar hooks to log the data which are
actually acted upon, rather than merely the pointer. This morning I'll
ask again -- are there any more system calls where we need to log
anything more than the arguments to the syscall?

On the call two weeks ago I pointed out the potential race condition; if
we log the target of the pointer at syscall entry time, another
userspace thread may change the contents of memory at that address by
the time the syscall actually executes and calls copy_from_user(). This
is why we have to add hooks such as the ones in the IPC code, instead of
just doing extra logging in audit_syscall_entry() for certain syscalls.

Just to make sure, I want to repeat the question which nobody deigned to
answer at the time: are there any more system calls for which we should
be adding hooks to log extra information, because the information
currently recorded is not sufficient for CAPP?

-- 
dwmw2