I found syscall audit does not work on SH(SuperH).
I made patch to support syscall audit for SH.
Signed-off-by: Yuichi Nakamura<[email protected]>
---
arch/sh/kernel/entry-common.S | 8 ++++++--
arch/sh/kernel/ptrace.c | 19 +++++++++++++++----
include/asm-sh/thread_info.h | 2 ++
init/Kconfig | 2 +-
4 files changed, 24 insertions(+), 7 deletions(-)
diff -purN -X linux-2.6.24.rc1/Documentation/dontdiff linux-2.6.24.rc1.orig/arch/sh/kernel/entry-common.S linux-2.6.24.rc1/arch/sh/kernel/entry-common.S
--- linux-2.6.24.rc1.orig/arch/sh/kernel/entry-common.S 2007-11-06 16:03:17.000000000 +0900
+++ linux-2.6.24.rc1/arch/sh/kernel/entry-common.S 2007-11-06 18:16:11.000000000 +0900
@@ -224,7 +224,7 @@ work_resched:
syscall_exit_work:
! r0: current_thread_info->flags
! r8: current_thread_info
- tst #_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP, r0
+ tst #_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP |_TIF_SYSCALL_AUDIT, r0
bt/s work_pending
tst #_TIF_NEED_RESCHED, r0
#ifdef CONFIG_TRACE_IRQFLAGS
@@ -234,6 +234,8 @@ syscall_exit_work:
#endif
sti
! XXX setup arguments...
+ mov r15, r4
+ mov #1, r5
mov.l 4f, r0 ! do_syscall_trace
jsr @r0
nop
@@ -244,6 +246,8 @@ syscall_exit_work:
syscall_trace_entry:
! Yes it is traced.
! XXX setup arguments...
+ mov r15, r4
+ mov #0, r5
mov.l 4f, r11 ! Call do_syscall_trace which notifies
jsr @r11 ! superior (will chomp R[0-7])
nop
@@ -366,7 +370,7 @@ ENTRY(system_call)
!
get_current_thread_info r8, r10
mov.l @(TI_FLAGS,r8), r8
- mov #_TIF_SYSCALL_TRACE, r10
+ mov #(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT), r10
tst r10, r8
bf syscall_trace_entry
!
diff -purN -X linux-2.6.24.rc1/Documentation/dontdiff linux-2.6.24.rc1.orig/arch/sh/kernel/ptrace.c linux-2.6.24.rc1/arch/sh/kernel/ptrace.c
--- linux-2.6.24.rc1.orig/arch/sh/kernel/ptrace.c 2007-11-06 16:03:17.000000000 +0900
+++ linux-2.6.24.rc1/arch/sh/kernel/ptrace.c 2007-11-07 08:46:14.000000000 +0900
@@ -6,7 +6,7 @@
* edited by Linus Torvalds
*
* SuperH version: Copyright (C) 1999, 2000 Kaz Kojima & Niibe Yutaka
- *
+ * Audit support: Yuichi Nakamura <[email protected]>
*/
#include <linux/kernel.h>
#include <linux/sched.h>
@@ -24,6 +24,7 @@
#include <asm/system.h>
#include <asm/processor.h>
#include <asm/mmu_context.h>
+#include <linux/audit.h>
/*
* does not yet catch signals sent when the child dies.
@@ -248,15 +249,18 @@ long arch_ptrace(struct task_struct *chi
return ret;
}
-asmlinkage void do_syscall_trace(void)
+asmlinkage void do_syscall_trace(struct pt_regs *regs, int entryexit)
{
struct task_struct *tsk = current;
+ if (unlikely(current->audit_context) && entryexit)
+ audit_syscall_exit(AUDITSC_RESULT(regs->regs[0]),
+ regs->regs[0]);
if (!test_thread_flag(TIF_SYSCALL_TRACE) &&
!test_thread_flag(TIF_SINGLESTEP))
- return;
+ goto out;
if (!(tsk->ptrace & PT_PTRACED))
- return;
+ goto out;
/* the 0x80 provides a way for the tracing parent to distinguish
between a syscall stop and SIGTRAP delivery */
ptrace_notify(SIGTRAP | ((current->ptrace & PT_TRACESYSGOOD) &&
@@ -271,4 +275,11 @@ asmlinkage void do_syscall_trace(void)
send_sig(tsk->exit_code, tsk, 1);
tsk->exit_code = 0;
}
+
+out:
+ if (unlikely(current->audit_context) && !entryexit)
+ audit_syscall_entry(AUDIT_ARCH_SH, regs->regs[3],
+ regs->regs[4], regs->regs[5],
+ regs->regs[6], regs->regs[7]);
+
}
--- linux-2.6.24.rc1.orig/include/asm-sh/thread_info.h 2007-10-10 05:31:38.000000000 +0900
+++ linux-2.6.24.rc1/include/asm-sh/thread_info.h 2007-11-07 08:46:37.000000000 +0900
@@ -111,6 +111,7 @@ static inline struct thread_info *curren
#define TIF_NEED_RESCHED 2 /* rescheduling necessary */
#define TIF_RESTORE_SIGMASK 3 /* restore signal mask in do_signal() */
#define TIF_SINGLESTEP 4 /* singlestepping active */
+#define TIF_SYSCALL_AUDIT 5
#define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */
#define TIF_POLLING_NRFLAG 17 /* true if poll_idle() is polling TIF_NEED_RESCHED */
#define TIF_MEMDIE 18
@@ -121,6 +122,7 @@ static inline struct thread_info *curren
#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED)
#define _TIF_RESTORE_SIGMASK (1<<TIF_RESTORE_SIGMASK)
#define _TIF_SINGLESTEP (1<<TIF_SINGLESTEP)
+#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
#define _TIF_USEDFPU (1<<TIF_USEDFPU)
#define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
#define _TIF_FREEZE (1<<TIF_FREEZE)
--- linux-2.6.24.rc1.orig/init/Kconfig 2007-11-06 16:03:31.000000000 +0900
+++ linux-2.6.24.rc1/init/Kconfig 2007-11-06 16:19:08.000000000 +0900
@@ -226,7 +226,7 @@ config AUDIT
config AUDITSYSCALL
bool "Enable system-call auditing support"
- depends on AUDIT && (X86 || PPC || PPC64 || S390 || IA64 || UML || SPARC64)
+ depends on AUDIT && (X86 || PPC || PPC64 || S390 || IA64 || UML || SPARC64|| SUPERH)
default y if SECURITY_SELINUX
help
Enable low-overhead system-call auditing infrastructure that
Regards,
--
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/
SELinux Policy Editor: http://seedit.sourceforge.net/
On Wed, Nov 07, 2007 at 02:04:46PM +0900, Yuichi Nakamura wrote:
> I found syscall audit does not work on SH(SuperH).
> I made patch to support syscall audit for SH.
>
> Signed-off-by: Yuichi Nakamura<[email protected]>
Looks fine, but it's too late for 2.6.24. So this will go in to the 2.6.25
queue when I open up the 2.6.25 development tree. Thanks.
On Wednesday 07 November 2007 12:04:46 am Yuichi Nakamura wrote:
> I found syscall audit does not work on SH(SuperH).
> I made patch to support syscall audit for SH.
I think this is close, but it looks like you missed the syscall classification
piece. You can find an example here:
arch/x86_64/kernel/audit.c
Its used for determining which syscalls we are interested in for watches.
Also, IBM and HP both have released audit test suites. You should run the CAPP
tests at a minimum to see if you have hooked everything that is expected. If
you have SE Linux enabled for that platform, you may want to try the LSPP
tests but you would need have the MLS policy installed.
IBM's announcement is here:
https://www.redhat.com/archives/redhat-lspp/2007-August/msg00002.html
and HP's here:
https://www.redhat.com/archives/linux-audit/2007-August/msg00030.html
And...user space would need an update for the syscall table and arches so that
you can run the tests. Please send that patch to linux-audit mail list.
Thanks,
-Steve
On Wed, Nov 07, 2007 at 10:15:33AM -0500, Steve Grubb wrote:
> On Wednesday 07 November 2007 12:04:46 am Yuichi Nakamura wrote:
> > I found syscall audit does not work on SH(SuperH).
> > I made patch to support syscall audit for SH.
>
> I think this is close, but it looks like you missed the syscall classification
> piece. You can find an example here:
>
> arch/x86_64/kernel/audit.c
>
> Its used for determining which syscalls we are interested in for watches.
>
Looking at this, it seems like the classification stuff for 32-bit is
generic, it's just the compat bits that are special cased and wrap back
in through the 32-bit classifier.
Is there any point in keeping the 32-bit audit.c rather than simply
moving it to kernel/ or lib/ and leaving the arch/ bits as compat
wrappers only?
At least powerpc, x86, and ia64 look like they could go that way.
On Wed, 7 Nov 2007 10:15:33 -0500
Steve Grubb wrote:
> On Wednesday 07 November 2007 12:04:46 am Yuichi Nakamura wrote:
> > I found syscall audit does not work on SH(SuperH).
> > I made patch to support syscall audit for SH.
>
> I think this is close, but it looks like you missed the syscall classification
> piece. You can find an example here:
>
> arch/x86_64/kernel/audit.c
>
> Its used for determining which syscalls we are interested in for watches.
Thanks, I did not know that.
arch/sh is 32 bit only, so I think lib/audit.c is enough for sh.
> Also, IBM and HP both have released audit test suites. You should run the CAPP
> tests at a minimum to see if you have hooked everything that is expected. If
> you have SE Linux enabled for that platform, you may want to try the LSPP
> tests but you would need have the MLS policy installed.
>
> IBM's announcement is here:
>
> https://www.redhat.com/archives/redhat-lspp/2007-August/msg00002.html
>
> and HP's here:
>
> https://www.redhat.com/archives/linux-audit/2007-August/msg00030.html
>
> And...user space would need an update for the syscall table and arches so that
> you can run the tests. Please send that patch to linux-audit mail list.
>
> Thanks,
> -Steve
--
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
Japan SELinux Users Group(JSELUG): http://www.selinux.gr.jp/
SELinux Policy Editor: http://seedit.sourceforge.net/