Merge branch 'x86/auditsc' of git://git.kernel.org/pub/scm/linux/kernel/git/frob/linux-2.6-roland

* 'x86/auditsc' of git://git.kernel.org/pub/scm/linux/kernel/git/frob/linux-2.6-roland: i386 syscall audit fast-path x86_64 ia32 syscall audit fast-path x86_64 syscall audit fast-path x86_64: remove bogus optimization in sysret_signal
author: Linus Torvalds <torvalds@linux-foundation.org> 2008-07-23 23:39:21 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2008-07-23 23:39:21 -0400
commit: 338b9bb3adac0d2c5a1e180491d9b001d624c402 (patch)
tree: 1552739e19d1e2c41702a6cf1e4204e5f28a5722 /arch/x86/kernel
parent: 7f9dce38378f0a4a298e885553d6bb7121376376 (diff)
parent: af0575bba0f46dd9054d46e0a88c57afad3bf4d2 (diff)
2 files changed, 103 insertions, 7 deletions
diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index cdfd94cc6b14..109792bc7cfa 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -54,6 +54,16 @@
 #include <asm/ftrace.h>
 #include <asm/irq_vectors.h>
+/* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
+#include <linux/elf-em.h>
+#define AUDIT_ARCH_I386         (EM_386|__AUDIT_ARCH_LE)
+#define __AUDIT_ARCH_LE    0x40000000
+#ifndef CONFIG_AUDITSYSCALL
+#define sysenter_audit  syscall_trace_entry
+#define sysexit_audit   syscall_exit_work
+#endif
 /*
 * We use macros for low-level operations which need to be overridden
 * for paravirtualization.  The following will never clobber any registers:
@@ -333,7 +343,8 @@ sysenter_past_esp:
        /* Note, _TIF_SECCOMP is bit number 8, and so it needs testw and not testb */
        testw $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp)
-        jnz syscall_trace_entry
+        jnz sysenter_audit
+sysenter_do_call:
        cmpl $(nr_syscalls), %eax
        jae syscall_badsys
        call *sys_call_table(,%eax,4)
@@ -343,7 +354,8 @@ sysenter_past_esp:
        TRACE_IRQS_OFF
        movl TI_flags(%ebp), %ecx
        testw $_TIF_ALLWORK_MASK, %cx
-        jne syscall_exit_work
+        jne sysexit_audit
+sysenter_exit:
 /* if something modifies registers it must also disable sysexit */
        movl PT_EIP(%esp), %edx
        movl PT_OLDESP(%esp), %ecx
@@ -351,6 +363,45 @@ sysenter_past_esp:
        TRACE_IRQS_ON
 1:      mov  PT_FS(%esp), %fs
        ENABLE_INTERRUPTS_SYSEXIT
+#ifdef CONFIG_AUDITSYSCALL
+sysenter_audit:
+        testw $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
+        jnz syscall_trace_entry
+        addl $4,%esp
+        CFI_ADJUST_CFA_OFFSET -4
+        /* %esi already in 8(%esp)         6th arg: 4th syscall arg */
+        /* %edx already in 4(%esp)         5th arg: 3rd syscall arg */
+        /* %ecx already in 0(%esp)         4th arg: 2nd syscall arg */
+        movl %ebx,%ecx                  /* 3rd arg: 1st syscall arg */
+        movl %eax,%edx                  /* 2nd arg: syscall number */
+        movl $AUDIT_ARCH_I386,%eax      /* 1st arg: audit arch */
+        call audit_syscall_entry
+        pushl %ebx
+        CFI_ADJUST_CFA_OFFSET 4
+        movl PT_EAX(%esp),%eax          /* reload syscall number */
+        jmp sysenter_do_call
+sysexit_audit:
+        testw $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), %cx
+        jne syscall_exit_work
+        TRACE_IRQS_ON
+        ENABLE_INTERRUPTS(CLBR_ANY)
+        movl %eax,%edx          /* second arg, syscall return value */
+        cmpl $0,%eax            /* is it < 0? */
+        setl %al                /* 1 if so, 0 if not */
+        movzbl %al,%eax         /* zero-extend that */
+        inc %eax /* first arg, 0->1(AUDITSC_SUCCESS), 1->2(AUDITSC_FAILURE) */
+        call audit_syscall_exit
+        DISABLE_INTERRUPTS(CLBR_ANY)
+        TRACE_IRQS_OFF
+        movl TI_flags(%ebp), %ecx
+        testw $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), %cx
+        jne syscall_exit_work
+        movl PT_EAX(%esp),%eax  /* reload syscall return value */
+        jmp sysenter_exit
+#endif
        CFI_ENDPROC
 .pushsection .fixup,"ax"
 2:      movl $0,PT_FS(%esp)
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index 8410e26f4183..89434d439605 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -53,6 +53,12 @@
 #include <asm/paravirt.h>
 #include <asm/ftrace.h>
+/* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
+#include <linux/elf-em.h>
+#define AUDIT_ARCH_X86_64       (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define __AUDIT_ARCH_64BIT 0x80000000
+#define __AUDIT_ARCH_LE    0x40000000
        .code64
 #ifdef CONFIG_FTRACE
@@ -351,6 +357,7 @@ ENTRY(system_call_after_swapgs)
        GET_THREAD_INFO(%rcx)
        testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%rcx)
        jnz tracesys
+system_call_fastpath:
        cmpq $__NR_syscall_max,%rax
        ja badsys
        movq %r10,%rcx
@@ -402,16 +409,16 @@ sysret_careful:
 sysret_signal:
        TRACE_IRQS_ON
        ENABLE_INTERRUPTS(CLBR_NONE)
-        testl $_TIF_DO_NOTIFY_MASK,%edx
+#ifdef CONFIG_AUDITSYSCALL
-        jz    1f
+        bt $TIF_SYSCALL_AUDIT,%edx
+        jc sysret_audit
-        /* Really a signal */
+#endif
        /* edx: work flags (arg3) */
        leaq do_notify_resume(%rip),%rax
        leaq -ARGOFFSET(%rsp),%rdi # &pt_regs -> arg1
        xorl %esi,%esi # oldset -> arg2
        call ptregscall_common
-1:      movl $_TIF_WORK_MASK,%edi
+        movl $_TIF_WORK_MASK,%edi
        /* Use IRET because user could have changed frame. This
           works because ptregscall_common has called FIXUP_TOP_OF_STACK. */
        DISABLE_INTERRUPTS(CLBR_NONE)
@@ -422,8 +429,45 @@ badsys:
        movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
        jmp ret_from_sys_call
+#ifdef CONFIG_AUDITSYSCALL
+        /*
+         * Fast path for syscall audit without full syscall trace.
+         * We just call audit_syscall_entry() directly, and then
+         * jump back to the normal fast path.
+         */
+auditsys:
+        movq %r10,%r9                   /* 6th arg: 4th syscall arg */
+        movq %rdx,%r8                   /* 5th arg: 3rd syscall arg */
+        movq %rsi,%rcx                  /* 4th arg: 2nd syscall arg */
+        movq %rdi,%rdx                  /* 3rd arg: 1st syscall arg */
+        movq %rax,%rsi                  /* 2nd arg: syscall number */
+        movl $AUDIT_ARCH_X86_64,%edi    /* 1st arg: audit arch */
+        call audit_syscall_entry
+        LOAD_ARGS 0             /* reload call-clobbered registers */
+        jmp system_call_fastpath
+        /*
+         * Return fast path for syscall audit.  Call audit_syscall_exit()
+         * directly and then jump back to the fast path with TIF_SYSCALL_AUDIT
+         * masked off.
+         */
+sysret_audit:
+        movq %rax,%rsi          /* second arg, syscall return value */
+        cmpq $0,%rax            /* is it < 0? */
+        setl %al                /* 1 if so, 0 if not */
+        movzbl %al,%edi         /* zero-extend that into %edi */
+        inc %edi /* first arg, 0->1(AUDITSC_SUCCESS), 1->2(AUDITSC_FAILURE) */
+        call audit_syscall_exit
+        movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
+        jmp sysret_check
+#endif  /* CONFIG_AUDITSYSCALL */
        /* Do syscall tracing */
 tracesys:                        
+#ifdef CONFIG_AUDITSYSCALL
+        testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%rcx)
+        jz auditsys
+#endif
        SAVE_REST
        movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
        FIXUP_TOP_OF_STACK %rdi
@@ -448,6 +492,7 @@ tracesys:
 * Has correct top of stack, but partial stack frame.
 */
        .globl int_ret_from_sys_call
+        .globl int_with_check
 int_ret_from_sys_call:
        DISABLE_INTERRUPTS(CLBR_NONE)
        TRACE_IRQS_OFF
author	Linus Torvalds <torvalds@linux-foundation.org>	2008-07-23 23:39:21 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2008-07-23 23:39:21 -0400
commit	338b9bb3adac0d2c5a1e180491d9b001d624c402 (patch)
tree	1552739e19d1e2c41702a6cf1e4204e5f28a5722 /arch/x86/kernel
parent	7f9dce38378f0a4a298e885553d6bb7121376376 (diff)
parent	af0575bba0f46dd9054d46e0a88c57afad3bf4d2 (diff)

diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S index cdfd94cc6b14..109792bc7cfa 100644 --- a/arch/x86/kernel/entry_32.S +++ b/arch/x86/kernel/entry_32.S
@@ -54,6 +54,16 @@
54	#include <asm/ftrace.h>	54	#include <asm/ftrace.h>
55	#include <asm/irq_vectors.h>	55	#include <asm/irq_vectors.h>
56		56
		57	/* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
		58	#include <linux/elf-em.h>
		59	#define AUDIT_ARCH_I386 (EM_386\|__AUDIT_ARCH_LE)
		60	#define __AUDIT_ARCH_LE 0x40000000
		61
		62	#ifndef CONFIG_AUDITSYSCALL
		63	#define sysenter_audit syscall_trace_entry
		64	#define sysexit_audit syscall_exit_work
		65	#endif
		66
57	/*	67	/*
58	* We use macros for low-level operations which need to be overridden	68	* We use macros for low-level operations which need to be overridden
59	* for paravirtualization. The following will never clobber any registers:	69	* for paravirtualization. The following will never clobber any registers:
@@ -333,7 +343,8 @@ sysenter_past_esp:
333		343
334	/* Note, _TIF_SECCOMP is bit number 8, and so it needs testw and not testb */	344	/* Note, _TIF_SECCOMP is bit number 8, and so it needs testw and not testb */
335	testw $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp)	345	testw $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%ebp)
336	jnz syscall_trace_entry	346	jnz sysenter_audit
		347	sysenter_do_call:
337	cmpl $(nr_syscalls), %eax	348	cmpl $(nr_syscalls), %eax
338	jae syscall_badsys	349	jae syscall_badsys
339	call *sys_call_table(,%eax,4)	350	call *sys_call_table(,%eax,4)
@@ -343,7 +354,8 @@ sysenter_past_esp:
343	TRACE_IRQS_OFF	354	TRACE_IRQS_OFF
344	movl TI_flags(%ebp), %ecx	355	movl TI_flags(%ebp), %ecx
345	testw $_TIF_ALLWORK_MASK, %cx	356	testw $_TIF_ALLWORK_MASK, %cx
346	jne syscall_exit_work	357	jne sysexit_audit
		358	sysenter_exit:
347	/* if something modifies registers it must also disable sysexit */	359	/* if something modifies registers it must also disable sysexit */
348	movl PT_EIP(%esp), %edx	360	movl PT_EIP(%esp), %edx
349	movl PT_OLDESP(%esp), %ecx	361	movl PT_OLDESP(%esp), %ecx
@@ -351,6 +363,45 @@ sysenter_past_esp:
351	TRACE_IRQS_ON	363	TRACE_IRQS_ON
352	1: mov PT_FS(%esp), %fs	364	1: mov PT_FS(%esp), %fs
353	ENABLE_INTERRUPTS_SYSEXIT	365	ENABLE_INTERRUPTS_SYSEXIT
		366
		367	#ifdef CONFIG_AUDITSYSCALL
		368	sysenter_audit:
		369	testw $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
		370	jnz syscall_trace_entry
		371	addl $4,%esp
		372	CFI_ADJUST_CFA_OFFSET -4
		373	/* %esi already in 8(%esp) 6th arg: 4th syscall arg */
		374	/* %edx already in 4(%esp) 5th arg: 3rd syscall arg */
		375	/* %ecx already in 0(%esp) 4th arg: 2nd syscall arg */
		376	movl %ebx,%ecx /* 3rd arg: 1st syscall arg */
		377	movl %eax,%edx /* 2nd arg: syscall number */
		378	movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
		379	call audit_syscall_entry
		380	pushl %ebx
		381	CFI_ADJUST_CFA_OFFSET 4
		382	movl PT_EAX(%esp),%eax /* reload syscall number */
		383	jmp sysenter_do_call
		384
		385	sysexit_audit:
		386	testw $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), %cx
		387	jne syscall_exit_work
		388	TRACE_IRQS_ON
		389	ENABLE_INTERRUPTS(CLBR_ANY)
		390	movl %eax,%edx /* second arg, syscall return value */
		391	cmpl $0,%eax /* is it < 0? */
		392	setl %al /* 1 if so, 0 if not */
		393	movzbl %al,%eax /* zero-extend that */
		394	inc %eax /* first arg, 0->1(AUDITSC_SUCCESS), 1->2(AUDITSC_FAILURE) */
		395	call audit_syscall_exit
		396	DISABLE_INTERRUPTS(CLBR_ANY)
		397	TRACE_IRQS_OFF
		398	movl TI_flags(%ebp), %ecx
		399	testw $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), %cx
		400	jne syscall_exit_work
		401	movl PT_EAX(%esp),%eax /* reload syscall return value */
		402	jmp sysenter_exit
		403	#endif
		404
354	CFI_ENDPROC	405	CFI_ENDPROC
355	.pushsection .fixup,"ax"	406	.pushsection .fixup,"ax"
356	2: movl $0,PT_FS(%esp)	407	2: movl $0,PT_FS(%esp)


diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S index 8410e26f4183..89434d439605 100644 --- a/arch/x86/kernel/entry_64.S +++ b/arch/x86/kernel/entry_64.S
@@ -53,6 +53,12 @@
53	#include <asm/paravirt.h>	53	#include <asm/paravirt.h>
54	#include <asm/ftrace.h>	54	#include <asm/ftrace.h>
55		55
		56	/* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
		57	#include <linux/elf-em.h>
		58	#define AUDIT_ARCH_X86_64 (EM_X86_64\|__AUDIT_ARCH_64BIT\|__AUDIT_ARCH_LE)
		59	#define __AUDIT_ARCH_64BIT 0x80000000
		60	#define __AUDIT_ARCH_LE 0x40000000
		61
56	.code64	62	.code64
57		63
58	#ifdef CONFIG_FTRACE	64	#ifdef CONFIG_FTRACE
@@ -351,6 +357,7 @@ ENTRY(system_call_after_swapgs)
351	GET_THREAD_INFO(%rcx)	357	GET_THREAD_INFO(%rcx)
352	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%rcx)	358	testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%rcx)
353	jnz tracesys	359	jnz tracesys
		360	system_call_fastpath:
354	cmpq $__NR_syscall_max,%rax	361	cmpq $__NR_syscall_max,%rax
355	ja badsys	362	ja badsys
356	movq %r10,%rcx	363	movq %r10,%rcx
@@ -402,16 +409,16 @@ sysret_careful:
402	sysret_signal:	409	sysret_signal:
403	TRACE_IRQS_ON	410	TRACE_IRQS_ON
404	ENABLE_INTERRUPTS(CLBR_NONE)	411	ENABLE_INTERRUPTS(CLBR_NONE)
405	testl $_TIF_DO_NOTIFY_MASK,%edx	412	#ifdef CONFIG_AUDITSYSCALL
406	jz 1f	413	bt $TIF_SYSCALL_AUDIT,%edx
407		414	jc sysret_audit
408	/* Really a signal */	415	#endif
409	/* edx: work flags (arg3) */	416	/* edx: work flags (arg3) */
410	leaq do_notify_resume(%rip),%rax	417	leaq do_notify_resume(%rip),%rax
411	leaq -ARGOFFSET(%rsp),%rdi # &pt_regs -> arg1	418	leaq -ARGOFFSET(%rsp),%rdi # &pt_regs -> arg1
412	xorl %esi,%esi # oldset -> arg2	419	xorl %esi,%esi # oldset -> arg2
413	call ptregscall_common	420	call ptregscall_common
414	1: movl $_TIF_WORK_MASK,%edi	421	movl $_TIF_WORK_MASK,%edi
415	/* Use IRET because user could have changed frame. This	422	/* Use IRET because user could have changed frame. This
416	works because ptregscall_common has called FIXUP_TOP_OF_STACK. */	423	works because ptregscall_common has called FIXUP_TOP_OF_STACK. */
417	DISABLE_INTERRUPTS(CLBR_NONE)	424	DISABLE_INTERRUPTS(CLBR_NONE)
@@ -422,8 +429,45 @@ badsys:
422	movq $-ENOSYS,RAX-ARGOFFSET(%rsp)	429	movq $-ENOSYS,RAX-ARGOFFSET(%rsp)
423	jmp ret_from_sys_call	430	jmp ret_from_sys_call
424		431
		432	#ifdef CONFIG_AUDITSYSCALL
		433	/*
		434	* Fast path for syscall audit without full syscall trace.
		435	* We just call audit_syscall_entry() directly, and then
		436	* jump back to the normal fast path.
		437	*/
		438	auditsys:
		439	movq %r10,%r9 /* 6th arg: 4th syscall arg */
		440	movq %rdx,%r8 /* 5th arg: 3rd syscall arg */
		441	movq %rsi,%rcx /* 4th arg: 2nd syscall arg */
		442	movq %rdi,%rdx /* 3rd arg: 1st syscall arg */
		443	movq %rax,%rsi /* 2nd arg: syscall number */
		444	movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
		445	call audit_syscall_entry
		446	LOAD_ARGS 0 /* reload call-clobbered registers */
		447	jmp system_call_fastpath
		448
		449	/*
		450	* Return fast path for syscall audit. Call audit_syscall_exit()
		451	* directly and then jump back to the fast path with TIF_SYSCALL_AUDIT
		452	* masked off.
		453	*/
		454	sysret_audit:
		455	movq %rax,%rsi /* second arg, syscall return value */
		456	cmpq $0,%rax /* is it < 0? */
		457	setl %al /* 1 if so, 0 if not */
		458	movzbl %al,%edi /* zero-extend that into %edi */
		459	inc %edi /* first arg, 0->1(AUDITSC_SUCCESS), 1->2(AUDITSC_FAILURE) */
		460	call audit_syscall_exit
		461	movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
		462	jmp sysret_check
		463	#endif /* CONFIG_AUDITSYSCALL */
		464
425	/* Do syscall tracing */	465	/* Do syscall tracing */
426	tracesys:	466	tracesys:
		467	#ifdef CONFIG_AUDITSYSCALL
		468	testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT),TI_flags(%rcx)
		469	jz auditsys
		470	#endif
427	SAVE_REST	471	SAVE_REST
428	movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */	472	movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
429	FIXUP_TOP_OF_STACK %rdi	473	FIXUP_TOP_OF_STACK %rdi
@@ -448,6 +492,7 @@ tracesys:
448	* Has correct top of stack, but partial stack frame.	492	* Has correct top of stack, but partial stack frame.
449	*/	493	*/
450	.globl int_ret_from_sys_call	494	.globl int_ret_from_sys_call
		495	.globl int_with_check
451	int_ret_from_sys_call:	496	int_ret_from_sys_call:
452	DISABLE_INTERRUPTS(CLBR_NONE)	497	DISABLE_INTERRUPTS(CLBR_NONE)
453	TRACE_IRQS_OFF	498	TRACE_IRQS_OFF