[PATCH] Kernel: Audit Support For The ARM Platform

Nathaniel Husted nhusted at gmail.com
Tue Aug 2 22:03:44 UTC 2011 

From: Nathaniel Husted <nhusted at gmail.com>

This patch provides functionality to audit system call events on the
ARM platform. The implementation was based off the structure of the
MIPS platform and information in this
(http://lists.fedoraproject.org/pipermail/arm/2009-October/000382.html)
mailing list thread. The required audit_syscall_exit and
audit_syscall_entry checks were added to ptrace using the standard
registers for system call values (r0 through r3). A thread information
flag was added for auditing (TIF_SYSCALL_AUDIT) and a meta-flag was
added (_TIF_SYSCALL_WORK) to simplify modifications to the syscall
entry/exit. Now, if either the TRACE flag is set or the AUDIT flag is
set, the syscall_trace function will be executed. The prober changes
were made to Kconfig to allow CONFIG_AUDITSYSCALL to be enabled.

Due to platform availability limitations, this patch was only tested
on the Android platform running the modified "android-goldfish-2.6.29"
kernel. A test compile was performed using Code Sourcery's
cross-compilation toolset and the current linux-3.0 stable kernel. The
changes compile without error.

Signed-off-by: Nathaniel Husted <nhusted at gmail.com>
---
diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
linux-3.0-vanilla/arch/arm/include/asm/thread_info.h
linux-3.0-modified/arch/arm/include/asm/thread_info.h
--- linux-3.0-vanilla/arch/arm/include/asm/thread_info.h	2011-07-21
19:17:23.000000000 -0700
+++ linux-3.0-modified/arch/arm/include/asm/thread_info.h	2011-08-02
14:04:29.005599252 -0700
@@ -129,6 +129,7 @@ extern void vfp_flush_hwstate(struct thr
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCAL_AUDIT	- syscall auditing active
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -139,6 +140,7 @@ extern void vfp_flush_hwstate(struct thr
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
 #define TIF_POLLING_NRFLAG	16
 #define TIF_USING_IWMMXT	17
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
@@ -150,12 +152,17 @@ extern void vfp_flush_hwstate(struct thr
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
 #define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+
 #define _TIF_POLLING_NRFLAG	(1 << TIF_POLLING_NRFLAG)
 #define _TIF_USING_IWMMXT	(1 << TIF_USING_IWMMXT)
 #define _TIF_FREEZE		(1 << TIF_FREEZE)
 #define _TIF_RESTORE_SIGMASK	(1 << TIF_RESTORE_SIGMASK)
 #define _TIF_SECCOMP		(1 << TIF_SECCOMP)

+/* Checks for any syscall work in entry-common.S */
+#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
+
 /*
  * Change these and you break ASM code in entry-common.S
  */
diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
linux-3.0-vanilla/arch/arm/kernel/entry-common.S
linux-3.0-modified/arch/arm/kernel/entry-common.S
--- linux-3.0-vanilla/arch/arm/kernel/entry-common.S	2011-07-21
19:17:23.000000000 -0700
+++ linux-3.0-modified/arch/arm/kernel/entry-common.S	2011-08-02
14:01:28.747720225 -0700
@@ -87,7 +87,7 @@ ENTRY(ret_from_fork)
 	get_thread_info tsk
 	ldr	r1, [tsk, #TI_FLAGS]		@ check for syscall tracing
 	mov	why, #1
-	tst	r1, #_TIF_SYSCALL_TRACE		@ are we tracing syscalls?
+	tst	r1, #_TIF_SYSCALL_WORK		@ are we tracing syscalls?
 	beq	ret_slow_syscall
 	mov	r1, sp
 	mov	r0, #1				@ trace exit [IP = 1]
@@ -443,7 +443,7 @@ ENTRY(vector_swi)
 1:
 #endif

-	tst	r10, #_TIF_SYSCALL_TRACE		@ are we tracing syscalls?
+	tst	r10, #_TIF_SYSCALL_WORK		@ are we tracing syscalls?
 	bne	__sys_trace

 	cmp	scno, #NR_syscalls		@ check upper syscall limit
diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
linux-3.0-vanilla/arch/arm/kernel/ptrace.c
linux-3.0-modified/arch/arm/kernel/ptrace.c
--- linux-3.0-vanilla/arch/arm/kernel/ptrace.c	2011-07-21
19:17:23.000000000 -0700
+++ linux-3.0-modified/arch/arm/kernel/ptrace.c	2011-08-02
14:44:09.949722828 -0700
@@ -926,11 +926,6 @@ asmlinkage int syscall_trace(int why, st
 {
 	unsigned long ip;

-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return scno;
-	if (!(current->ptrace & PT_PTRACED))
-		return scno;
-
 	/*
 	 * Save IP.  IP is used to denote syscall entry/exit:
 	 *  IP = 0 -> entry, = 1 -> exit
@@ -938,6 +933,25 @@ asmlinkage int syscall_trace(int why, st
 	ip = regs->ARM_ip;
 	regs->ARM_ip = why;

+    /* perform a secure computing check first */
+	if (regs->ARM_ip)
+		secure_computing(scno);
+
+	if (unlikely(current->audit_context)) {
+		if (!ip)
+			audit_syscall_exit(AUDITSC_RESULT(regs->ARM_r0),
+						regs->ARM_r0);
+		else
+			audit_syscall_entry(AUDIT_ARCH_ARMEB, scno,
+						regs->ARM_r0, regs->ARM_r1,
+						regs->ARM_r2, regs->ARM_r3);
+	}
+
+	if (!test_thread_flag(TIF_SYSCALL_TRACE))
+		return scno;
+	if (!(current->ptrace & PT_PTRACED))
+		return scno;
+
 	current_thread_info()->syscall = scno;

 	/* the 0x80 provides a way for the tracing parent to distinguish
diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
linux-3.0-vanilla/init/Kconfig linux-3.0-modified/init/Kconfig
--- linux-3.0-vanilla/init/Kconfig	2011-07-21 19:17:23.000000000 -0700
+++ linux-3.0-modified/init/Kconfig	2011-08-02 14:02:06.359364526 -0700
@@ -355,7 +355,7 @@ config AUDIT

 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH)
+	depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 ||
SUPERH || ARM)
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that

More information about the Linux-audit mailing list