ABIs, syscall tables, and the AUDIT_ARCH_* defines
Eric Paris
eparis at redhat.com
Tue Oct 29 21:29:41 UTC 2013
On Tue, 2013-10-29 at 17:28 -0400, Paul Moore wrote:
> Take x86_64 and x32 as an example (think of x32 as a 32-bit version of
> x86_64). Both x32 and x86_64 use the AUDIT_ARCH_X86_64 value and general
> calling convention, but they have a different syscall table.
I guess a good question is "is that right" ?
#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
Would we not be better off with a:
#define AUDIT_ARCH_X32 (EM_X86_64|__AUDIT_ARCH_LE) ?
Do x86_64 and x32 share the same syscall entry code? Is there where the
AUDIT_ARCH_X86_64 comes from? Is this similar for ARM? Right now, the
only thing we have is:
#define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_ARMEB (EM_ARM)
Is this enough? Should we add more? I'm way way way more ARM idiotic
than I am about x86_64. I know the ARM people at least told us that ARM
wasn't going to work right with what we have today... So they added to
the audit Kconfig:
depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 ||
SUPERH || (ARM && AEABI && !OABI_COMPAT))
Is fixing this with differentiated AUDIT_ARCH flags even possible? Am I
just talking out of my bum?
More information about the Linux-audit
mailing list