audit syscall information
David Woodhouse
dwmw2 at infradead.org
Fri Apr 29 18:52:13 UTC 2005
On Fri, 2005-04-29 at 19:41 +0100, David Woodhouse wrote:
> Here's what I see when I compile a simple test program for both ppc32
> and ppc64 and execute both. The arguments appear correct in both cases,
> and you see the 'auxitem' which accompanies the IPC_SET (a2==101) call.
Ah, you're on x86_64, aren't you? The syscall calling convention is
different between i386 and x86_64 calls -- the arguments are actually in
different registers. Try this...
I've abandoned the previous kernel build, which wasn't going to complete
any time soon anyway because there seems to be no S390 in the build farm
today. I'm building with this (and with S390 excluded).
--- linux-2.6.9/arch/x86_64/kernel/ptrace.c~ 2005-04-29 18:28:47.000000000 +0100
+++ linux-2.6.9/arch/x86_64/kernel/ptrace.c 2005-04-29 19:45:41.525874624 +0100
@@ -517,19 +517,26 @@ static void syscall_trace(struct pt_regs
}
}
-#define audit_arch() \
- (test_thread_flag(TIF_IA32) ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64)
-
asmlinkage void syscall_trace_enter(struct pt_regs *regs)
{
if (test_thread_flag(TIF_SYSCALL_TRACE)
&& (current->ptrace & PT_PTRACED))
syscall_trace(regs);
- if (unlikely(current->audit_context))
- audit_syscall_entry(current, audit_arch(), regs->orig_rax,
- regs->rdi, regs->rsi,
- regs->rdx, regs->r10);
+ if (unlikely(current->audit_context)) {
+ if (test_thread_flag(TIF_IA32)) {
+ audit_syscall_entry(current, AUDIT_ARCH_I386,
+ regs->orig_rax,
+ regs->rbx, regs->rcx,
+ regs->rdx, regs->rsi);
+
+ } else {
+ audit_syscall_entry(current, AUDIT_ARCH_X86_64,
+ regs->orig_rax,
+ regs->rdi, regs->rsi,
+ regs->rdx, regs->r10);
+ }
+ }
}
--
dwmw2
More information about the Linux-audit
mailing list