[RESEND PATCH 1/2] MIPS syscall auditing patches

Steve Grubb sgrubb at redhat.com
Thu Apr 3 13:12:01 UTC 2014 

On Thursday, April 03, 2014 11:32:57 AM Ralf Baechle wrote:
> > >  - To make matters worse, most MIPS processors can be configured to be
> > >    big or little endian.  Traditionally the the 64-bit little endian
> > >    configuration is named mips64el, so I've changed references to
> > >MIPSEL64
> > >    in audit.h to MIPS64EL.
> > > 
> > >  - The code treats the little endian MIPS architecture as separate from
> > >    big endian.  Combined with the 3 ABIs that's 6 combinations.  I tried
> > >    to sort of follow the example set by ARM which explicitly lists the
> > >    (rare) big endian architecture variant - but it doesn't seem to very
> > >    useful so I wonder if this could be squashed to just the three ABIs
> > >    without consideration of endianess?
> >
> > In ARM's case, endian-ness doesn't affect the ABI, from what I
> > understand.
> 
> There's probably the odd bitfield or similar where it might matter?  I
> did dig a bit in the history of the auditing code and found no code that
> uses __AUDIT_ARCH_LE other than setting that flag.
> 
> David - you introduced __AUDIT_ARCH_LE in kernel commit 2fd6f58ba6e
> "[AUDIT] Don't allow ptrace to fool auditing, log arch of audited syscalls."
> on April 29 2005.  Do you still recall the purpose of this flag?

I am certain its to signify the syscall is Little Endian.
 

> > >  - Talking about flags; I've defined the the N32 architecture flags were
> > >defined 
> > >     #define AUDIT_ARCH_MIPS64_N32  (EM_MIPS|__AUDIT_ARCH_ALT)
> > >     #define AUDIT_ARCH_MIPS64EL_N32
> > >(EM_MIPS|__AUDIT_ARCH_ALT|__AUDIT_ARCH_LE 
> > >     N32 is a 32-bit ABI but one that only runs on 64-bit processors as
> > >it
> > >     uses 64-bit registers for 64-bit integers.  So I'm uncertain if the
> > >     __AUDIT_ARCH_64BIT flags should be set or not.
> >
> > I would guess it should, but I am no expert.
> 
> Steve?

The core issue is to tell the kernel exactly what syscall you want inspected 
by the audit system. You should be able to specify a particular ABI and 
syscall and get that and only that. Then the event should record the 
information so that user space can figure out which syscall table to lookup the 
syscall number from so that it can turn it into text. Using the LE and other 
flags helps to know what we are dealing with if you have events aggregated in a 
server from multiple machines of different CPUs.

Assuming the AUDIT_ARCH_* follows expected conventions, the main test for 
correctness is whether or not you get a round trip from rules to interpreted 
events, its exactly what was expected.

-Steve

More information about the Linux-audit mailing list