diff options
author | <dwmw2@shinybook.infradead.org> | 2005-04-29 11:08:28 -0400 |
---|---|---|
committer | <dwmw2@shinybook.infradead.org> | 2005-04-29 11:08:28 -0400 |
commit | 2fd6f58ba6efc82ea2c9c2630f7ff5ed9eeaf34a (patch) | |
tree | 87cf236a78ad242ae01f1b71c289131e6d1c0662 /arch/x86_64 | |
parent | ea3834d9fb348fb1144ad3affea22df933eaf62e (diff) |
[AUDIT] Don't allow ptrace to fool auditing, log arch of audited syscalls.
We were calling ptrace_notify() after auditing the syscall and arguments,
but the debugger could have _changed_ them before the syscall was actually
invoked. Reorder the calls to fix that.
While we're touching ever call to audit_syscall_entry(), we also make it
take an extra argument: the architecture of the syscall which was made,
because some architectures allow more than one type of syscall.
Also add an explicit success/failure flag to audit_syscall_exit(), for
the benefit of architectures which return that in a condition register
rather than only returning a single register.
Change type of syscall return value to 'long' not 'int'.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'arch/x86_64')
-rw-r--r-- | arch/x86_64/kernel/ptrace.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c index c7011675007d..ecbccbbf5c2a 100644 --- a/arch/x86_64/kernel/ptrace.c +++ b/arch/x86_64/kernel/ptrace.c | |||
@@ -629,25 +629,28 @@ static void syscall_trace(struct pt_regs *regs) | |||
629 | } | 629 | } |
630 | } | 630 | } |
631 | 631 | ||
632 | #define audit_arch() (test_thread_flag(TIF_IA32) ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64) | ||
633 | |||
632 | asmlinkage void syscall_trace_enter(struct pt_regs *regs) | 634 | asmlinkage void syscall_trace_enter(struct pt_regs *regs) |
633 | { | 635 | { |
634 | /* do the secure computing check first */ | 636 | /* do the secure computing check first */ |
635 | secure_computing(regs->orig_rax); | 637 | secure_computing(regs->orig_rax); |
636 | 638 | ||
639 | if (test_thread_flag(TIF_SYSCALL_TRACE) | ||
640 | && (current->ptrace & PT_PTRACED)) | ||
641 | syscall_trace(regs); | ||
642 | |||
637 | if (unlikely(current->audit_context)) | 643 | if (unlikely(current->audit_context)) |
638 | audit_syscall_entry(current, regs->orig_rax, | 644 | audit_syscall_entry(current, audit_arch(), regs->orig_rax, |
639 | regs->rdi, regs->rsi, | 645 | regs->rdi, regs->rsi, |
640 | regs->rdx, regs->r10); | 646 | regs->rdx, regs->r10); |
641 | 647 | ||
642 | if (test_thread_flag(TIF_SYSCALL_TRACE) | ||
643 | && (current->ptrace & PT_PTRACED)) | ||
644 | syscall_trace(regs); | ||
645 | } | 648 | } |
646 | 649 | ||
647 | asmlinkage void syscall_trace_leave(struct pt_regs *regs) | 650 | asmlinkage void syscall_trace_leave(struct pt_regs *regs) |
648 | { | 651 | { |
649 | if (unlikely(current->audit_context)) | 652 | if (unlikely(current->audit_context)) |
650 | audit_syscall_exit(current, regs->rax); | 653 | audit_syscall_exit(current, AUDITSC_RESULT(regs->rax), regs->rax); |
651 | 654 | ||
652 | if ((test_thread_flag(TIF_SYSCALL_TRACE) | 655 | if ((test_thread_flag(TIF_SYSCALL_TRACE) |
653 | || test_thread_flag(TIF_SINGLESTEP)) | 656 | || test_thread_flag(TIF_SINGLESTEP)) |