[RFC PATCH v2 1/1] audit: Add generic compat syscall support

Richard Guy Briggs rgb at redhat.com
Fri Jan 10 18:36:25 UTC 2014 

On 13/11/27, AKASHI Takahiro wrote:
> On 11/26/2013 04:01 AM, Will Deacon wrote:
> >On Tue, Nov 19, 2013 at 09:43:55AM +0000, AKASHI Takahiro wrote:
> >>(v1 was created mistakenly. Please igore it.)
> >>
> >>lib/audit.c provides a generic definition for auditing system calls.
> >>lib/compat_audit.c similarly adds compat syscall support for
> >>bi-architectures (32/64-bit).
> >>
> >>Each architecture must define audit_is_compat() in asm/audit.h.
> >>
> >>Signed-off-by: AKASHI Takahiro <takahiro.akashi at linaro.org>
> >>---
> >>  include/linux/audit.h |    9 +++++++++
> >>  lib/Makefile          |    3 +++
> >>  lib/audit.c           |   17 +++++++++++++++++
> >>  lib/compat_audit.c    |   51 +++++++++++++++++++++++++++++++++++++++++++++++++
> >>  4 files changed, 80 insertions(+)
> >>  create mode 100644 lib/compat_audit.c
> >>
> >>diff --git a/include/linux/audit.h b/include/linux/audit.h
> >>index 729a4d1..c49a312 100644
> >>--- a/include/linux/audit.h
> >>+++ b/include/linux/audit.h
> >>@@ -76,6 +76,15 @@ struct audit_field {
> >>  extern int __init audit_register_class(int class, unsigned *list);
> >>  extern int audit_classify_syscall(int abi, unsigned syscall);
> >>  extern int audit_classify_arch(int arch);
> >>+#if defined(CONFIG_AUDIT_GENERIC) && defined(CONFIG_COMPAT)
> >>+extern unsigned compat_write_class[];
> >>+extern unsigned compat_read_class[];
> >>+extern unsigned compat_dir_class[];
> >>+extern unsigned compat_chattr_class[];
> >>+extern unsigned compat_signal_class[];
> >>+
> >>+extern int audit_classify_compat_syscall(int abi, unsigned syscall);
> >>+#endif
> >>
> >>  /* audit_names->type values */
> >>  #define	AUDIT_TYPE_UNKNOWN	0	/* we don't know yet */
> >>diff --git a/lib/Makefile b/lib/Makefile
> >>index f3bb2cb..5bb185a 100644
> >>--- a/lib/Makefile
> >>+++ b/lib/Makefile
> >>@@ -96,6 +96,9 @@ obj-$(CONFIG_TEXTSEARCH_BM) += ts_bm.o
> >>  obj-$(CONFIG_TEXTSEARCH_FSM) += ts_fsm.o
> >>  obj-$(CONFIG_SMP) += percpu_counter.o
> >>  obj-$(CONFIG_AUDIT_GENERIC) += audit.o
> >>+ifeq ($(CONFIG_COMPAT),y)
> >>+obj-$(CONFIG_AUDIT_GENERIC) += compat_audit.o
> >>+endif
> >>
> >>  obj-$(CONFIG_SWIOTLB) += swiotlb.o
> >>  obj-$(CONFIG_IOMMU_HELPER) += iommu-helper.o
> >>diff --git a/lib/audit.c b/lib/audit.c
> >>index 76bbed4..3bf3858 100644
> >>--- a/lib/audit.c
> >>+++ b/lib/audit.c
> >>@@ -1,6 +1,7 @@
> >>  #include <linux/init.h>
> >>  #include <linux/types.h>
> >>  #include <linux/audit.h>
> >>+#include <asm/audit.h>
> >>  #include <asm/unistd.h>
> >>
> >>  static unsigned dir_class[] = {
> >>@@ -30,11 +31,20 @@ static unsigned signal_class[] = {
> >>
> >>  int audit_classify_arch(int arch)
> >>  {
> >>+#ifdef CONFIG_COMPAT
> >>+	if (audit_is_compat(arch))
> >>+		return 1;
> >>+#endif
> >>  	return 0;
> >>  }
> >>
> >>  int audit_classify_syscall(int abi, unsigned syscall)
> >>  {
> >>+#ifdef CONFIG_COMPAT
> >>+	if (audit_is_compat(abi))
> >>+		return audit_classify_compat_syscall(abi, syscall);
> >>+#endif
> >
> >Hmm, I'm not sure this is the right way to solve this problem. Whether
> >something is compat or not depends on the task to which it is associated. If
> >this is always the current task for the audit cases, then you can just use
> >something like is_compat_task. Otherwise, I think we need to get a handle on
> >the task_struct here. An arch-callback feels like the wrong approach to me.
> 
> You are completely right. In my current (v3 prototype) implementation,
> "abi" argument, which can be AUDIT_ARCH_ARM(EB) or AUDIT_ARCH_AARCH64(EB),
> passed to audit_classify_syscall() is determined per-task using is_compat_thread()
> when audit_syscall_entry() is executed in syscall_trace().
> (Obviously audit_is_compat() is true only in case of AUDIT_ARCH_ARM.)
> 
> V3 based on this patch is working for 32-bit and 64-bit userland.
> I can submit v3 patch if you want.

Yes, please.  This is new territory to me, but I don't see any issues.

> Thanks,
> -Takahiro AKASHI
> 
> >Will

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list