[PATCH v2.1] audit: Only use the syscall slowpath when syscall audit rules exist
Andy Lutomirski
luto at amacapital.net
Mon Feb 3 21:09:54 UTC 2014
On Mon, Feb 3, 2014 at 12:35 PM, Eric Paris <eparis at redhat.com> wrote:
> Hmmmm,
>
> My problem with doing this has always actually been because of SELinux.
> Knowing syscall information with AVCs can be a huge help running down
> problems. We already make people load rules if they want to get
> pathname type records, so maybe this is fine. Or we could make SELinux
> take a reference on the number of audit rules, but that was your
> particular use case. Not sure how I feel about losing syscall
> information by default on AVCs...
>
Hmm. I never noticed that feature. That'll show me :)
I would personally happily give that up for a 30-50% reduction in
systemwide syscall latency.
Looking at the 64-bit syscall entry code, it looks like the syscall nr
is always saved to pt_regs (as orig_rax) and the arguments are shoved
into the usual places in pt_regs. Have you ever tried using
syscall_get_nr and syscall_get_arguments from the audit code without
setting TIF_SYSCALL_AUDIT? I may be missing something here, but it
looks like it'll work.
> Do we always have audit_context allocated? I need to look how the TIF
> and audit_context are correlated.
In 3.13, TIF_SYSCALL_AUDIT is set iff audit_context is allocated. In
3.12 and below that was not the case due to a bug.
>
> For a completely seperate non-audit patch idea I've toyed with making
> the arch/syscall_nr a0,a1,a2,a3 stored in task struct rather than audit
> context. Would mean that recording that information on syscall entry
> could be fast/easy and done quickly in syscall entry assembly code.
> Then on entry we could track only if there are rules on the 'entry' list
> and skip if none. On exit we could do the same only with exit rules.
> Right now all 3 of those different things are tracked in
> TIF_SYSCALL_AUDIT (As I recall the slow path is usually a lot of things
> other than audit, but audit is what forces us onto the slow patch)
I think that you can already fish out the syscall args on x86_64 at
least. The attached awful patch appears to work, for example.
Test code:
#include <stdio.h>
#include <linux/prctl.h>
int main(int argc, char **argv)
{
if (argc != 5) {
printf("Usage: test_pr500 arg2 arg3 arg4 arg5\n");
return 1;
}
prctl(500, atoi(argv[1]), atoi(argv[2]), atoi(argv[3]), atoi(argv[4]));
return 0;
}
FWIW, I don't know *why* the syscall fast path does this, but it's
convenient for this use :)
Out of curiosity, why does the audit code ignore a4 and a5?
--Andy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: awful_syscall_hack.patch
Type: text/x-patch
Size: 810 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140203/a18dda44/attachment.bin>
More information about the Linux-audit
mailing list