[PATCH] Kernel: Audit Support For The ARM Platform (Re-post requested)
Eric Paris
eparis at redhat.com
Wed Oct 26 17:07:51 UTC 2011
On Wed, 2011-10-26 at 11:42 -0400, Nathaniel Husted wrote:
> This patch provides functionality to audit system call events on the
> ARM platform. The implementation was based off the structure of the
> MIPS platform and information in this
> (http://lists.fedoraproject.org/pipermail/arm/2009-October/000382.html)
> mailing list thread. The required audit_syscall_exit and
> audit_syscall_entry checks were added to ptrace using the standard
> registers for system call values (r0 through r3). A thread information
> flag was added for auditing (TIF_SYSCALL_AUDIT) and a meta-flag was
> added (_TIF_SYSCALL_WORK) to simplify modifications to the syscall
> entry/exit. Now, if either the TRACE flag is set or the AUDIT flag is
> set, the syscall_trace function will be executed. The prober changes
> were made to Kconfig to allow CONFIG_AUDITSYSCALL to be enabled.
>
> Due to platform availability limitations, this patch was only tested
> on the Android platform running the modified "android-goldfish-2.6.29"
> kernel. A test compile was performed using Code Sourcery's
> cross-compilation toolset and the current linux-3.0 stable kernel. The
> changes compile without error. I'm hoping, due to the simple modifications,
> the patch is "obviously correct".
>
> Signed-off-by: Nathaniel Husted <nhusted at gmail.com>
> ---
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/arch/arm/include/asm/thread_info.h
> linux-3.0-modified/arch/arm/include/asm/thread_info.h
> --- linux-3.0-vanilla/arch/arm/include/asm/thread_info.h 2011-07-21
> 19:17:23.000000000 -0700
> +++ linux-3.0-modified/arch/arm/include/asm/thread_info.h 2011-08-02
> 14:04:29.005599252 -0700
> @@ -129,6 +129,7 @@ extern void vfp_flush_hwstate(struct thr
> /*
> * thread information flags:
> * TIF_SYSCALL_TRACE - syscall trace active
> + * TIF_SYSCAL_AUDIT - syscall auditing active
> * TIF_SIGPENDING - signal pending
> * TIF_NEED_RESCHED - rescheduling necessary
> * TIF_NOTIFY_RESUME - callback before returning to user
> @@ -139,6 +140,7 @@ extern void vfp_flush_hwstate(struct thr
> #define TIF_NEED_RESCHED 1
> #define TIF_NOTIFY_RESUME 2 /* callback before returning to user */
> #define TIF_SYSCALL_TRACE 8
> +#define TIF_SYSCALL_AUDIT 9
> #define TIF_POLLING_NRFLAG 16
> #define TIF_USING_IWMMXT 17
> #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
> @@ -150,12 +152,17 @@ extern void vfp_flush_hwstate(struct thr
> #define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
> #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
> #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
> +#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
> +
> #define _TIF_POLLING_NRFLAG (1 << TIF_POLLING_NRFLAG)
> #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
> #define _TIF_FREEZE (1 << TIF_FREEZE)
> #define _TIF_RESTORE_SIGMASK (1 << TIF_RESTORE_SIGMASK)
> #define _TIF_SECCOMP (1 << TIF_SECCOMP)
>
> +/* Checks for any syscall work in entry-common.S */
> +#define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
> +
> /*
> * Change these and you break ASM code in entry-common.S
> */
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/arch/arm/kernel/entry-common.S
> linux-3.0-modified/arch/arm/kernel/entry-common.S
> --- linux-3.0-vanilla/arch/arm/kernel/entry-common.S 2011-07-21
> 19:17:23.000000000 -0700
> +++ linux-3.0-modified/arch/arm/kernel/entry-common.S 2011-08-02
> 14:01:28.747720225 -0700
> @@ -87,7 +87,7 @@ ENTRY(ret_from_fork)
> get_thread_info tsk
> ldr r1, [tsk, #TI_FLAGS] @ check for syscall tracing
> mov why, #1
> - tst r1, #_TIF_SYSCALL_TRACE @ are we tracing syscalls?
> + tst r1, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
> beq ret_slow_syscall
> mov r1, sp
> mov r0, #1 @ trace exit [IP = 1]
> @@ -443,7 +443,7 @@ ENTRY(vector_swi)
> 1:
> #endif
>
> - tst r10, #_TIF_SYSCALL_TRACE @ are we
> tracing syscalls?
> + tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
> bne __sys_trace
>
> cmp scno, #NR_syscalls @ check upper syscall limit
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/arch/arm/kernel/ptrace.c
> linux-3.0-modified/arch/arm/kernel/ptrace.c
> --- linux-3.0-vanilla/arch/arm/kernel/ptrace.c 2011-07-21
> 19:17:23.000000000 -0700
> +++ linux-3.0-modified/arch/arm/kernel/ptrace.c 2011-08-02
> 14:44:09.949722828 -0700
> @@ -926,11 +926,6 @@ asmlinkage int syscall_trace(int why, st
> {
> unsigned long ip;
>
> - if (!test_thread_flag(TIF_SYSCALL_TRACE))
> - return scno;
> - if (!(current->ptrace & PT_PTRACED))
> - return scno;
> -
> /*
> * Save IP. IP is used to denote syscall entry/exit:
> * IP = 0 -> entry, = 1 -> exit
> @@ -938,6 +933,25 @@ asmlinkage int syscall_trace(int why, st
> ip = regs->ARM_ip;
> regs->ARM_ip = why;
>
> + /* perform a secure computing check first */
> + if (regs->ARM_ip)
> + secure_computing(scno);
What is this part?
> +
> + if (unlikely(current->audit_context)) {
> + if (!ip)
> + audit_syscall_exit(AUDITSC_RESULT(regs->ARM_r0),
> + regs->ARM_r0);
> + else
> + audit_syscall_entry(AUDIT_ARCH_ARMEB, scno,
> + regs->ARM_r0, regs->ARM_r1,
> + regs->ARM_r2, regs->ARM_r3);
> + }
> +
> + if (!test_thread_flag(TIF_SYSCALL_TRACE))
> + return scno;
> + if (!(current->ptrace & PT_PTRACED))
> + return scno;
> +
> current_thread_info()->syscall = scno;
>
> /* the 0x80 provides a way for the tracing parent to distinguish
> diff -uprN -X linux-3.0-vanilla/Documentation/dontdiff
> linux-3.0-vanilla/init/Kconfig linux-3.0-modified/init/Kconfig
> --- linux-3.0-vanilla/init/Kconfig 2011-07-21 19:17:23.000000000 -0700
> +++ linux-3.0-modified/init/Kconfig 2011-08-02 14:02:06.359364526 -0700
> @@ -355,7 +355,7 @@ config AUDIT
>
> config AUDITSYSCALL
> bool "Enable system-call auditing support"
> - depends on AUDIT && (X86 || PPC || S390 || IA64 || UML ||
> SPARC64 || SUPERH)
> + depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 ||
> SUPERH || ARM)
> default y if SECURITY_SELINUX
> help
> Enable low-overhead system-call auditing infrastructure that
More information about the Linux-audit
mailing list