Re: [RFC][PATCH 2/3] Introduce audit_security LSM hook - i386

From: Chris Wright (chrisw@private)
Date: Mon Dec 06 2004 - 20:52:25 PST

Previous message: Chris Wright: "Re: [RFC][PATCH 1/3] Introduce audit_syscall LSM hook"
In reply to: Adrian Drzewiecki: "[RFC][PATCH 2/3] Introduce audit_security LSM hook - i386"
Next in thread: Adrian Drzewiecki: "Re: [RFC][PATCH 2/3] Introduce audit_security LSM hook - i386"
Reply: Adrian Drzewiecki: "Re: [RFC][PATCH 2/3] Introduce audit_security LSM hook - i386"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

* Adrian Drzewiecki (z@private) wrote:
> -/* notification of system call entry/exit
> - * - triggered by current->work.syscall_trace
> - */
> -__attribute__((regparm(3)))
> -void do_syscall_trace(struct pt_regs *regs, int entryexit)
> +void audit_syscall(struct task_struct *p, void *_regs, int entryexit)
>  {
> -	if (unlikely(current->audit_context)) {
> +	if (unlikely(p->audit_context)) {
> +		struct pt_regs __attribute__((__unused__)) *regs = _regs;
>  		if (!entryexit)
> -			audit_syscall_entry(current, regs->orig_eax,
> +			audit_syscall_entry(p, regs->orig_eax,
>  					    regs->ebx, regs->ecx,
>  					    regs->edx, regs->esi);
>  		else
> -			audit_syscall_exit(current, regs->eax);
> +			audit_syscall_exit(p, regs->eax);
>  	}
> +}
> +
> +EXPORT_SYMBOL_GPL(audit_syscall);

OK, exported so modules can use it, but what would a module do other
than simply call this arch specific code?

>  
> +/* notification of system call entry/exit
> + * - triggered by current->work.syscall_trace
> + */
> +__attribute__((regparm(3)))

BTW, bet you could switch this to fastcall now.

> +void do_syscall_trace(struct pt_regs *regs, int entryexit)
> +{
> +	if (unlikely(test_thread_flag(TIF_SYSCALL_AUDIT)))
> +		security_audit_syscall(current, regs, entryexit);


>  	if (!test_thread_flag(TIF_SYSCALL_TRACE) &&
> -	    !test_thread_flag(TIF_SINGLESTEP))
> +			!test_thread_flag(TIF_SINGLESTEP))
>  		return;
>  	if (!(current->ptrace & PT_PTRACED))
>  		return;
> @@ -559,3 +568,4 @@
>  		current->exit_code = 0;
>  	}
>  }
> +
> diff -ru linux-2.6.9-security_audit_syscall/include/asm-i386/ptrace.h 
> linux-2.6.9-security_audit_syscall-x86/include/asm-i386/ptrace.h
> --- linux-2.6.9-security_audit_syscall/include/asm-i386/ptrace.h	
> 2004-10-18 14:53:11.000000000 -0700
> +++ linux-2.6.9-security_audit_syscall-x86/include/asm-i386/ptrace.h	
> 2004-12-02 21:11:25.000000000 -0800
> @@ -64,4 +64,7 @@
>  #endif
>  #endif
>  
> +void audit_syscall(struct task_struct *p, void *regs, int entryexit);
> +#define ARCH_HAVE_AUDIT_SYSCALL

I'd order this the other way around.  define macro, then prototype.
Also, any reason this is void * and not typed?

-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

Previous message: Chris Wright: "Re: [RFC][PATCH 1/3] Introduce audit_syscall LSM hook"
In reply to: Adrian Drzewiecki: "[RFC][PATCH 2/3] Introduce audit_security LSM hook - i386"
Next in thread: Adrian Drzewiecki: "Re: [RFC][PATCH 2/3] Introduce audit_security LSM hook - i386"
Reply: Adrian Drzewiecki: "Re: [RFC][PATCH 2/3] Introduce audit_security LSM hook - i386"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Dec 06 2004 - 20:52:53 PST