[PATCH] audit.h: remove the macro AUDIT_ARCH_ARMEB definition

Li RongQing roy.qing.li at gmail.com
Wed Mar 25 00:01:12 UTC 2015 

On Wed, Mar 25, 2015 at 5:16 AM, Paul Moore <paul at paul-moore.com> wrote:
> [NOTE: Adding the linux-arm folks to this thread just in case they are
> interested.]
>
> I'm not an ARM expert, but the kernel #define for AUDIT_ARCH_ARMEB
> (below) seems reasonable to me based on the other audit machine
> definitions.  There is clearly a mismatch between the kernel and the
> audit userspace, but I wonder if the issue should be addressed in the
> userspace tools.  Further, you mention kernel 3.14, what happens with
> kernel 3.19 and the most recent audit userspace tools?
>
>   > grep "AUDIT_ARCH_ARMEB" include/uapi/linux/audit.h
>   #define AUDIT_ARCH_ARMEB        (EM_ARM)


1.
if no the below commit, audit-2.3.2 is working;
but after the below commit, audit-2.3.2 is not working.

commit 2f978366984a418f38fcf44137be1fbc5a89cfd9
Author: Will Deacon <will.deacon at arm.com>
Date:   Fri May 4 17:53:52 2012 +0100

    ARM: 7412/1: audit: use only AUDIT_ARCH_ARM regardless of endianness

    The machine endianness has no direct correspondence to the syscall ABI,
    so use only AUDIT_ARCH_ARM when identifying the ABI to the audit tools
    in userspace.

    Cc: stable at vger.kernel.org
    Signed-off-by: Will Deacon <will.deacon at arm.com>
    Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>

diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index d8dbe9c..9650c14 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -906,12 +906,6 @@ long arch_ptrace(struct task_struct *child, long request,
        return ret;
 }

-#ifdef __ARMEB__
-#define AUDIT_ARCH_NR AUDIT_ARCH_ARMEB
-#else
-#define AUDIT_ARCH_NR AUDIT_ARCH_ARM
-#endif
-
 asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno)
 {
        unsigned long ip;
@@ -919,7 +913,7 @@ asmlinkage int syscall_trace(int why, struct
pt_regs *regs, int scno)
        if (why)
                audit_syscall_exit(regs);
        else
-               audit_syscall_entry(AUDIT_ARCH_NR, scno, regs->ARM_r0,
+               audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0,
                                    regs->ARM_r1, regs->ARM_r2, regs->ARM_r3);

        if (!test_thread_flag(TIF_SYSCALL_TRACE))


2.

The latest audit has the changeset of 931 [Improve ARM and AARCH64 support],
so audit can work again.


-Roy

More information about the Linux-audit mailing list