AUDIT_ARCH_ and __NR_syscall constants for seccomp filters

Thomas Weißschuh linux at weissschuh.net
Mon Jun 28 17:13:25 UTC 2021 

Hi Paul,

thanks for your response!

On Mo, 2021-06-28T12:59-0400, Paul Moore wrote:
> On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux at weissschuh.net> wrote:
> >
> > Hi everyone,
> >
> > there does not seem to be a way to access the AUDIT_ARCH_ constant that matches
> > the currently visible syscall numbers (__NR_...) from the kernel uapi headers.
> 
> Looking at Linus' current tree I see the AUDIT_ARCH_* defines in
> include/uapi/linux/audit.h; looking on my system right now I see the
> defines in /usr/include/linux/audit.h.  What kernel repository and
> distribution are you using?

I am using ArchLinux and also have all these defines.

> > Questions:
> >
> > Is it really necessary to validate the arch value when syscall numbers are
> > already target-specific?
> > (If not, should this be added to the docs?)
> 
> Checking the arch/ABI value is important so that you can ensure that
> you are using the syscall number in the proper context.  For example,
> look at the access(2) syscall: it is undefined on some ABIs and can
> take either a value of 20, 21, or 33 depending on the arch/ABI.
> Unfortunately this is rather common.

But when if I am not hardcoding the syscall numbers but use the
__NR_access kernel define then I should always get the correct number for the
ABI I am compiling for (or an error if the syscall does not exist), no?

> Checking the arch/ABI value is also handy if you want to quickly
> disallow certain ABIs on a system that supports multiple ABI, e.g.
> disabling 32-bit x86 on a 64-bit x86_64 system.
> 
> > Would it make sense to expose the audit arch matching the syscall numbers in
> > the uapi headers?
> 
> Yes, which is why the existing headers do so ;)  If you don't see the
> header files I mentioned above, it may be worth checking your kernel
> source repository and your distribution's installed kernel header
> files.

I do see constants for all the possible ABIs but not one constant that always
represents the one I am currently compiling for.
The same way the syscall number defines always give me the syscall number for
the currently targeted ABI.

Thomas

More information about the Linux-audit mailing list