diff options
| author | Nathaniel Husted <nhusted@gmail.com> | 2012-01-03 14:23:09 -0500 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2012-01-17 16:17:01 -0500 |
| commit | 29ef73b7a823b77a7cd0bdd7d7cded3fb6c2587b (patch) | |
| tree | 4edfccf0b4d2b24c8e6069113eb69bb8c7a9b037 /arch/arm/kernel/ptrace.c | |
| parent | 4043cde8ecf7f7d880eb1133c201a3d392fd68c3 (diff) | |
Kernel: Audit Support For The ARM Platform
This patch provides functionality to audit system call events on the
ARM platform. The implementation was based off the structure of the
MIPS platform and information in this
(http://lists.fedoraproject.org/pipermail/arm/2009-October/000382.html)
mailing list thread. The required audit_syscall_exit and
audit_syscall_entry checks were added to ptrace using the standard
registers for system call values (r0 through r3). A thread information
flag was added for auditing (TIF_SYSCALL_AUDIT) and a meta-flag was
added (_TIF_SYSCALL_WORK) to simplify modifications to the syscall
entry/exit. Now, if either the TRACE flag is set or the AUDIT flag is
set, the syscall_trace function will be executed. The prober changes
were made to Kconfig to allow CONFIG_AUDITSYSCALL to be enabled.
Due to platform availability limitations, this patch was only tested
on the Android platform running the modified "android-goldfish-2.6.29"
kernel. A test compile was performed using Code Sourcery's
cross-compilation toolset and the current linux-3.0 stable kernel. The
changes compile without error. I'm hoping, due to the simple modifications,
the patch is "obviously correct".
Signed-off-by: Nathaniel Husted <nhusted@gmail.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'arch/arm/kernel/ptrace.c')
| -rw-r--r-- | arch/arm/kernel/ptrace.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c index 483727ad6892..e1d5e1929fbd 100644 --- a/arch/arm/kernel/ptrace.c +++ b/arch/arm/kernel/ptrace.c | |||
| @@ -906,11 +906,6 @@ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno) | |||
| 906 | { | 906 | { |
| 907 | unsigned long ip; | 907 | unsigned long ip; |
| 908 | 908 | ||
| 909 | if (!test_thread_flag(TIF_SYSCALL_TRACE)) | ||
| 910 | return scno; | ||
| 911 | if (!(current->ptrace & PT_PTRACED)) | ||
| 912 | return scno; | ||
| 913 | |||
| 914 | /* | 909 | /* |
| 915 | * Save IP. IP is used to denote syscall entry/exit: | 910 | * Save IP. IP is used to denote syscall entry/exit: |
| 916 | * IP = 0 -> entry, = 1 -> exit | 911 | * IP = 0 -> entry, = 1 -> exit |
| @@ -918,6 +913,17 @@ asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno) | |||
| 918 | ip = regs->ARM_ip; | 913 | ip = regs->ARM_ip; |
| 919 | regs->ARM_ip = why; | 914 | regs->ARM_ip = why; |
| 920 | 915 | ||
| 916 | if (!ip) | ||
| 917 | audit_syscall_exit(regs); | ||
| 918 | else | ||
| 919 | audit_syscall_entry(AUDIT_ARCH_ARMEB, scno, regs->ARM_r0, | ||
| 920 | regs->ARM_r1, regs->ARM_r2, regs->ARM_r3); | ||
| 921 | |||
| 922 | if (!test_thread_flag(TIF_SYSCALL_TRACE)) | ||
| 923 | return scno; | ||
| 924 | if (!(current->ptrace & PT_PTRACED)) | ||
| 925 | return scno; | ||
| 926 | |||
| 921 | current_thread_info()->syscall = scno; | 927 | current_thread_info()->syscall = scno; |
| 922 | 928 | ||
| 923 | /* the 0x80 provides a way for the tracing parent to distinguish | 929 | /* the 0x80 provides a way for the tracing parent to distinguish |