[AUDIT] Log correct syscall args for i386 processes on x86_64

The i386 syscall ABI uses different registers. Log those instead of the x86_64 ones. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
author: David Woodhouse <dwmw2@shinybook.infradead.org> 2005-05-03 09:11:02 -0400
committer: David Woodhouse <dwmw2@shinybook.infradead.org> 2005-05-03 09:11:02 -0400
commit: 488f2eaca1b0831a5a5e6a66e33bad2cdeff7238 (patch)
tree: a7d9c0e8722194ca92602ad0d5982fbb1e9e9d8e
parent: 0dd8e06bdaa0a97e706ee1a489a1f6176c4ddc64 (diff)
1 files changed, 13 insertions, 7 deletions
diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
index 19eba9aaedd1..e26e86bb56fe 100644
--- a/arch/x86_64/kernel/ptrace.c
+++ b/arch/x86_64/kernel/ptrace.c
@@ -630,8 +630,6 @@ static void syscall_trace(struct pt_regs *regs)
        }
 }
-#define audit_arch() (test_thread_flag(TIF_IA32) ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64)
 asmlinkage void syscall_trace_enter(struct pt_regs *regs)
 {
        /* do the secure computing check first */
@@ -641,11 +639,19 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
            && (current->ptrace & PT_PTRACED))
                syscall_trace(regs);
-        if (unlikely(current->audit_context))
+        if (unlikely(current->audit_context)) {
-                audit_syscall_entry(current, audit_arch(), regs->orig_rax,
+                if (test_thread_flag(TIF_IA32)) {
-                                    regs->rdi, regs->rsi,
+                        audit_syscall_entry(current, AUDIT_ARCH_I386,
-                                    regs->rdx, regs->r10);
+                                            regs->orig_rax,
+                                            regs->rbx, regs->rcx,
+                                            regs->rdx, regs->rsi);
+                } else {
+                        audit_syscall_entry(current, AUDIT_ARCH_X86_64,
+                                            regs->orig_rax,
+                                            regs->rdi, regs->rsi,
+                                            regs->rdx, regs->r10);
+                }
+        }
 }
 asmlinkage void syscall_trace_leave(struct pt_regs *regs)
author	David Woodhouse <dwmw2@shinybook.infradead.org>	2005-05-03 09:11:02 -0400
committer	David Woodhouse <dwmw2@shinybook.infradead.org>	2005-05-03 09:11:02 -0400
commit	488f2eaca1b0831a5a5e6a66e33bad2cdeff7238 (patch)
tree	a7d9c0e8722194ca92602ad0d5982fbb1e9e9d8e
parent	0dd8e06bdaa0a97e706ee1a489a1f6176c4ddc64 (diff)

diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c index 19eba9aaedd1..e26e86bb56fe 100644 --- a/arch/x86_64/kernel/ptrace.c +++ b/arch/x86_64/kernel/ptrace.c
@@ -630,8 +630,6 @@ static void syscall_trace(struct pt_regs *regs)
630	}	630	}
631	}	631	}
632		632
633	#define audit_arch() (test_thread_flag(TIF_IA32) ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64)
634
635	asmlinkage void syscall_trace_enter(struct pt_regs *regs)	633	asmlinkage void syscall_trace_enter(struct pt_regs *regs)
636	{	634	{
637	/* do the secure computing check first */	635	/* do the secure computing check first */
@@ -641,11 +639,19 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
641	&& (current->ptrace & PT_PTRACED))	639	&& (current->ptrace & PT_PTRACED))
642	syscall_trace(regs);	640	syscall_trace(regs);
643		641
644	if (unlikely(current->audit_context))	642	if (unlikely(current->audit_context)) {
645	audit_syscall_entry(current, audit_arch(), regs->orig_rax,	643	if (test_thread_flag(TIF_IA32)) {
646	regs->rdi, regs->rsi,	644	audit_syscall_entry(current, AUDIT_ARCH_I386,
647	regs->rdx, regs->r10);	645	regs->orig_rax,
648		646	regs->rbx, regs->rcx,
		647	regs->rdx, regs->rsi);
		648	} else {
		649	audit_syscall_entry(current, AUDIT_ARCH_X86_64,
		650	regs->orig_rax,
		651	regs->rdi, regs->rsi,
		652	regs->rdx, regs->r10);
		653	}
		654	}
649	}	655	}
650		656
651	asmlinkage void syscall_trace_leave(struct pt_regs *regs)	657	asmlinkage void syscall_trace_leave(struct pt_regs *regs)