Re: [RFC][PATCH 2/3] Introduce audit_security LSM hook - i386

From: Adrian Drzewiecki (z@private)
Date: Tue Dec 07 2004 - 10:53:09 PST


On Mon, 6 Dec 2004, Chris Wright wrote:

> * Adrian Drzewiecki (z@private) wrote:
> > -/* notification of system call entry/exit
> > - * - triggered by current->work.syscall_trace
> > - */
> > -__attribute__((regparm(3)))
> > -void do_syscall_trace(struct pt_regs *regs, int entryexit)
> > +void audit_syscall(struct task_struct *p, void *_regs, int entryexit)
> >  {
> > -	if (unlikely(current->audit_context)) {
> > +	if (unlikely(p->audit_context)) {
> > +		struct pt_regs __attribute__((__unused__)) *regs = _regs;
> >  		if (!entryexit)
> > -			audit_syscall_entry(current, regs->orig_eax,
> > +			audit_syscall_entry(p, regs->orig_eax,
> >  					    regs->ebx, regs->ecx,
> >  					    regs->edx, regs->esi);
> >  		else
> > -			audit_syscall_exit(current, regs->eax);
> > +			audit_syscall_exit(p, regs->eax);
> >  	}
> > +}
> > +
> > +EXPORT_SYMBOL_GPL(audit_syscall);
> 
> OK, exported so modules can use it, but what would a module do other
> than simply call this arch specific code?

See previous email. An LSM that implements security_ops->audit_syscall() 
and wants to preserve normal syscall auditing would need to call 
audit_syscall() from it's hook.
 
> >  
> > +/* notification of system call entry/exit
> > + * - triggered by current->work.syscall_trace
> > + */
> > +__attribute__((regparm(3)))
> 
> BTW, bet you could switch this to fastcall now.

Okay. But I would rather not make any changes outside of the feature I 
request. 

> > +void do_syscall_trace(struct pt_regs *regs, int entryexit)
> > +{
> > +	if (unlikely(test_thread_flag(TIF_SYSCALL_AUDIT)))
> > +		security_audit_syscall(current, regs, entryexit);
> 
> 
> >  	if (!test_thread_flag(TIF_SYSCALL_TRACE) &&
> > -	    !test_thread_flag(TIF_SINGLESTEP))
> > +			!test_thread_flag(TIF_SINGLESTEP))
> >  		return;
> >  	if (!(current->ptrace & PT_PTRACED))
> >  		return;
> > @@ -559,3 +568,4 @@
> >  		current->exit_code = 0;
> >  	}
> >  }
> > +
> > diff -ru linux-2.6.9-security_audit_syscall/include/asm-i386/ptrace.h 
> > linux-2.6.9-security_audit_syscall-x86/include/asm-i386/ptrace.h
> > --- linux-2.6.9-security_audit_syscall/include/asm-i386/ptrace.h	
> > 2004-10-18 14:53:11.000000000 -0700
> > +++ linux-2.6.9-security_audit_syscall-x86/include/asm-i386/ptrace.h	
> > 2004-12-02 21:11:25.000000000 -0800
> > @@ -64,4 +64,7 @@
> >  #endif
> >  #endif
> >  
> > +void audit_syscall(struct task_struct *p, void *regs, int entryexit);
> > +#define ARCH_HAVE_AUDIT_SYSCALL
>
> I'd order this the other way around.  define macro, then prototype.
> Also, any reason this is void * and not typed? 

Yes, void * is kinda ugly. I was going to point my finger at 
include/asm-um/ptrace-generic.h for the reason. It does:

  #define pt_regs pt_regs_subarch
  #define show_regs show_regs_subarch

  #include "asm/arch/ptrace.h"

  #undef pt_regs
  #undef show_regs

Which caused problems with the declaration of audit_syscall() in 
include/asm-i386/ptrace.h .. But I see now that I could've just #defined 
HAVE_ARCH_AUDIT_SYSCALL before #include "asm/arch/ptrace.h" for UML.

Would you like me to resend the patch?

Thanks for your feedback!

-- 
Adrian Drzewiecki
z@private



This archive was generated by hypermail 2.1.3 : Tue Dec 07 2004 - 10:53:28 PST