[PATCH] Kernel: Audit Support For The ARM Platform (Re-post requested)

Eric Paris eparis at redhat.com
Wed Oct 26 17:07:51 UTC 2011 

On Wed, 2011-10-26 at 11:42 -0400, Nathaniel Husted wrote:
> This patch provides functionality to audit system call events on the
> ARM platform. The implementation was based off the structure of the
> MIPS platform and information in this
> (http://lists.fedoraproject.org/pipermail/arm/2009-October/000382.html)
> mailing list thread. The required audit_syscall_exit and
> audit_syscall_entry checks were added to ptrace using the standard
> registers for system call values (r0 through r3). A thread information
> flag was added for auditing (TIF_SYSCALL_AUDIT) and a meta-flag was
> added (_TIF_SYSCALL_WORK) to simplify modifications to the syscall
> entry/exit. Now, if either the TRACE flag is set or the AUDIT flag is
> set, the syscall_trace function will be executed. The prober changes
> were made to Kconfig to allow CONFIG_AUDITSYSCALL to be enabled.
> 
> Due to platform availability limitations, this patch was only tested
> on the Android platform running the modified "android-goldfish-2.6.29"
> kernel. A test compile was performed using Code Sourcery's
> cross-compilation toolset and the current linux-3.0 stable kernel. The
> changes compile without error. I'm hoping, due to the simple modifications,
> the patch is "obviously correct".
> 
> Signed-off-by: Nathaniel Husted <nhusted at gmail.com>
> ---
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/arch/arm/include/asm/thread_info.h
> linux-3.0-modified/arch/arm/include/asm/thread_info.h
> --- linux-3.0-vanilla/arch/arm/include/asm/thread_info.h        2011-07-21
> 19:17:23.000000000 -0700
> +++ linux-3.0-modified/arch/arm/include/asm/thread_info.h       2011-08-02
> 14:04:29.005599252 -0700
> @@ -129,6 +129,7 @@ extern void vfp_flush_hwstate(struct thr
>  /*
>  * thread information flags:
>  *  TIF_SYSCALL_TRACE  - syscall trace active
> + *  TIF_SYSCAL_AUDIT   - syscall auditing active
>  *  TIF_SIGPENDING     - signal pending
>  *  TIF_NEED_RESCHED   - rescheduling necessary
>  *  TIF_NOTIFY_RESUME  - callback before returning to user
> @@ -139,6 +140,7 @@ extern void vfp_flush_hwstate(struct thr
>  #define TIF_NEED_RESCHED       1
>  #define TIF_NOTIFY_RESUME      2       /* callback before returning to user */
>  #define TIF_SYSCALL_TRACE      8
> +#define TIF_SYSCALL_AUDIT      9
>  #define TIF_POLLING_NRFLAG     16
>  #define TIF_USING_IWMMXT       17
>  #define TIF_MEMDIE             18      /* is terminating due to OOM killer */
> @@ -150,12 +152,17 @@ extern void vfp_flush_hwstate(struct thr
>  #define _TIF_NEED_RESCHED      (1 << TIF_NEED_RESCHED)
>  #define _TIF_NOTIFY_RESUME     (1 << TIF_NOTIFY_RESUME)
>  #define _TIF_SYSCALL_TRACE     (1 << TIF_SYSCALL_TRACE)
> +#define _TIF_SYSCALL_AUDIT     (1 << TIF_SYSCALL_AUDIT)
> +
>  #define _TIF_POLLING_NRFLAG    (1 << TIF_POLLING_NRFLAG)
>  #define _TIF_USING_IWMMXT      (1 << TIF_USING_IWMMXT)
>  #define _TIF_FREEZE            (1 << TIF_FREEZE)
>  #define _TIF_RESTORE_SIGMASK   (1 << TIF_RESTORE_SIGMASK)
>  #define _TIF_SECCOMP           (1 << TIF_SECCOMP)
> 
> +/* Checks for any syscall work in entry-common.S */
> +#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
> +
>  /*
>  * Change these and you break ASM code in entry-common.S
>  */
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/arch/arm/kernel/entry-common.S
> linux-3.0-modified/arch/arm/kernel/entry-common.S
> --- linux-3.0-vanilla/arch/arm/kernel/entry-common.S    2011-07-21
> 19:17:23.000000000 -0700
> +++ linux-3.0-modified/arch/arm/kernel/entry-common.S   2011-08-02
> 14:01:28.747720225 -0700
> @@ -87,7 +87,7 @@ ENTRY(ret_from_fork)
>        get_thread_info tsk
>        ldr     r1, [tsk, #TI_FLAGS]            @ check for syscall tracing
>        mov     why, #1
> -       tst     r1, #_TIF_SYSCALL_TRACE         @ are we tracing syscalls?
> +       tst     r1, #_TIF_SYSCALL_WORK          @ are we tracing syscalls?
>        beq     ret_slow_syscall
>        mov     r1, sp
>        mov     r0, #1                          @ trace exit [IP = 1]
> @@ -443,7 +443,7 @@ ENTRY(vector_swi)
>  1:
>  #endif
> 
> -       tst     r10, #_TIF_SYSCALL_TRACE                @ are we
> tracing syscalls?
> +       tst     r10, #_TIF_SYSCALL_WORK         @ are we tracing syscalls?
>        bne     __sys_trace
> 
>        cmp     scno, #NR_syscalls              @ check upper syscall limit
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/arch/arm/kernel/ptrace.c
> linux-3.0-modified/arch/arm/kernel/ptrace.c
> --- linux-3.0-vanilla/arch/arm/kernel/ptrace.c  2011-07-21
> 19:17:23.000000000 -0700
> +++ linux-3.0-modified/arch/arm/kernel/ptrace.c 2011-08-02
> 14:44:09.949722828 -0700
> @@ -926,11 +926,6 @@ asmlinkage int syscall_trace(int why, st
>  {
>        unsigned long ip;
> 
> -       if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -               return scno;
> -       if (!(current->ptrace & PT_PTRACED))
> -               return scno;
> -
>        /*
>         * Save IP.  IP is used to denote syscall entry/exit:
>         *  IP = 0 -> entry, = 1 -> exit
> @@ -938,6 +933,25 @@ asmlinkage int syscall_trace(int why, st
>        ip = regs->ARM_ip;
>        regs->ARM_ip = why;
> 
> +    /* perform a secure computing check first */
> +       if (regs->ARM_ip)
> +               secure_computing(scno);

What is this part?

> +
> +       if (unlikely(current->audit_context)) {
> +               if (!ip)
> +                       audit_syscall_exit(AUDITSC_RESULT(regs->ARM_r0),
> +                                               regs->ARM_r0);
> +               else
> +                       audit_syscall_entry(AUDIT_ARCH_ARMEB, scno,
> +                                               regs->ARM_r0, regs->ARM_r1,
> +                                               regs->ARM_r2, regs->ARM_r3);
> +       }
> +
> +       if (!test_thread_flag(TIF_SYSCALL_TRACE))
> +               return scno;
> +       if (!(current->ptrace & PT_PTRACED))
> +               return scno;
> +
>        current_thread_info()->syscall = scno;
> 
>        /* the 0x80 provides a way for the tracing parent to distinguish
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/init/Kconfig linux-3.0-modified/init/Kconfig
> --- linux-3.0-vanilla/init/Kconfig      2011-07-21 19:17:23.000000000 -0700
> +++ linux-3.0-modified/init/Kconfig     2011-08-02 14:02:06.359364526 -0700
> @@ -355,7 +355,7 @@ config AUDIT
> 
>  config AUDITSYSCALL
>        bool "Enable system-call auditing support"
> -       depends on AUDIT && (X86 || PPC || S390 || IA64 || UML ||
> SPARC64 || SUPERH)
> +       depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 ||
> SUPERH || ARM)
>        default y if SECURITY_SELINUX
>        help
>          Enable low-overhead system-call auditing infrastructure that

More information about the Linux-audit mailing list