[PATCH 1/2] audit: add call argument to socketcall auditing

Tue May 3 09:02:11 UTC 2022

socketcall auditing misses the call argument:

type=SOCKETCALL msg=audit: nargs=3 a0=10 a1=3 a2=c

which renders socketcall auditing (almost) useless. Add the call
argument so it is possible to decode the actual syscall from the
audit log:

type=SOCKETCALL msg=audit: call=1 nargs=3 a0=10 a1=3 a2=c

Signed-off-by: Sven Schnelle <svens at linux.ibm.com>
---
 include/linux/audit.h | 10 +++++-----
 kernel/audit.h        |  1 +
 kernel/auditsc.c      |  6 ++++--
 net/compat.c          |  2 +-
 net/socket.c          |  2 +-
 5 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index d06134ac6245..7d2256f999ab 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -405,7 +405,7 @@ static inline void audit_ptrace(struct task_struct *t)
 extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp);
 extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode);
 extern void __audit_bprm(struct linux_binprm *bprm);
-extern int __audit_socketcall(int nargs, unsigned long *args);
+extern int __audit_socketcall(int call, int nargs, unsigned long *args);
 extern int __audit_sockaddr(int len, void *addr);
 extern void __audit_fd_pair(int fd1, int fd2);
 extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr);
@@ -445,14 +445,14 @@ static inline void audit_bprm(struct linux_binprm *bprm)
 	if (unlikely(!audit_dummy_context()))
 		__audit_bprm(bprm);
 }
-static inline int audit_socketcall(int nargs, unsigned long *args)
+static inline int audit_socketcall(int call, int nargs, unsigned long *args)
 {
 	if (unlikely(!audit_dummy_context()))
-		return __audit_socketcall(nargs, args);
+		return __audit_socketcall(call, nargs, args);
 	return 0;
 }
 
-static inline int audit_socketcall_compat(int nargs, u32 *args)
+static inline int audit_socketcall_compat(int call, int nargs, u32 *args)
 {
 	unsigned long a[AUDITSC_ARGS];
 	int i;
@@ -462,7 +462,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args)
 
 	for (i = 0; i < nargs; i++)
 		a[i] = (unsigned long)args[i];
-	return __audit_socketcall(nargs, a);
+	return __audit_socketcall(call, nargs, a);
 }
 
 static inline int audit_sockaddr(int len, void *addr)
diff --git a/kernel/audit.h b/kernel/audit.h
index 58b66543b4d5..34e53b6f0ebb 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -153,6 +153,7 @@ struct audit_context {
 	int type;
 	union {
 		struct {
+			int call;
 			int nargs;
 			long args[6];
 		} socketcall;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ea2ee1181921..c856893041c9 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1399,8 +1399,9 @@ static void show_special(struct audit_context *context, int *call_panic)
 	switch (context->type) {
 	case AUDIT_SOCKETCALL: {
 		int nargs = context->socketcall.nargs;
+		int call = context->socketcall.call;
 
-		audit_log_format(ab, "nargs=%d", nargs);
+		audit_log_format(ab, "call=%d nargs=%d", call, nargs);
 		for (i = 0; i < nargs; i++)
 			audit_log_format(ab, " a%d=%lx", i,
 				context->socketcall.args[i]);
@@ -2684,13 +2685,14 @@ void __audit_bprm(struct linux_binprm *bprm)
  * @args: args array
  *
  */
-int __audit_socketcall(int nargs, unsigned long *args)
+int __audit_socketcall(int call, int nargs, unsigned long *args)
 {
 	struct audit_context *context = audit_context();
 
 	if (nargs <= 0 || nargs > AUDITSC_ARGS || !args)
 		return -EINVAL;
 	context->type = AUDIT_SOCKETCALL;
+	context->socketcall.call = call;
 	context->socketcall.nargs = nargs;
 	memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long));
 	return 0;
diff --git a/net/compat.c b/net/compat.c
index 210fc3b4d0d8..0df955019ecc 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -437,7 +437,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
 	if (copy_from_user(a, args, len))
 		return -EFAULT;
 
-	ret = audit_socketcall_compat(len / sizeof(a[0]), a);
+	ret = audit_socketcall_compat(call, len / sizeof(a[0]), a);
 	if (ret)
 		return ret;
 
diff --git a/net/socket.c b/net/socket.c
index 6887840682bb..ff71f28c96f7 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2921,7 +2921,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
 	if (copy_from_user(a, args, len))
 		return -EFAULT;
 
-	err = audit_socketcall(nargs[call] / sizeof(unsigned long), a);
+	err = audit_socketcall(call, nargs[call] / sizeof(unsigned long), a);
 	if (err)
 		return err;
 
-- 
2.32.0

