alpha: Enable system-call auditing support.

Signed-off-by: Zhenglong.cai <zhenglong.cai@cs2c.com.cn> Signed-off-by: Matt Turner <mattst88@gmail.com>

alpha: Enable system-call auditing support.
Signed-off-by: Zhenglong.cai <zhenglong.cai@cs2c.com.cn> Signed-off-by: Matt Turner <mattst88@gmail.com>
蔡正龙 · Matt Turner
1 parent e7651b819e
Showing 8 changed files with 81 additions and 2 deletions Side-by-side Diff
arch/alpha/Kconfig
arch/alpha/include/asm/ptrace.h
arch/alpha/include/asm/thread_info.h
arch/alpha/kernel/Makefile
arch/alpha/kernel/audit.c
arch/alpha/kernel/entry.S
arch/alpha/kernel/ptrace.c
init/Kconfig
@@ -17,6 +17,7 @@
 	select ARCH_WANT_IPC_PARSE_VERSION
 	select ARCH_HAVE_NMI_SAFE_CMPXCHG
 	select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
+	select AUDIT_ARCH
 	select GENERIC_CLOCKEVENTS
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_STRNCPY_FROM_USER
@@ -77,6 +78,8 @@
 source "init/Kconfig"
 source "kernel/Kconfig.freezer"
  
+config AUDIT_ARCH
+	bool
  
 menu "System setup"
  
@@ -19,5 +19,10 @@
  
 #define force_successful_syscall_return() (current_pt_regs()->r0 = 0)
  
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->r0;
+}
+
 #endif
@@ -70,6 +70,7 @@
 #define TIF_NOTIFY_RESUME	1	/* callback before returning to user */
 #define TIF_SIGPENDING		2	/* signal pending */
 #define TIF_NEED_RESCHED	3	/* rescheduling necessary */
+#define TIF_SYSCALL_AUDIT	4	/* syscall audit active */
 #define TIF_DIE_IF_KERNEL	9	/* dik recursion lock */
 #define TIF_MEMDIE		13	/* is terminating due to OOM killer */
  
@@ -77,6 +78,7 @@
 #define _TIF_SIGPENDING		(1<<TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1<<TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1<<TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_AUDIT	(1<<TIF_SYSCALL_AUDIT)
  
 /* Work to do on interrupt/exception return.  */
 #define _TIF_WORK_MASK		(_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
@@ -17,6 +17,7 @@
 obj-$(CONFIG_MODULES)	+= module.o
 obj-$(CONFIG_PERF_EVENTS) += perf_event.o
 obj-$(CONFIG_RTC_DRV_ALPHA) += rtc.o
+obj-$(CONFIG_AUDIT)	+= audit.o
  
 ifdef CONFIG_ALPHA_GENERIC
  
+#include <linux/init.h>
+#include <linux/types.h>
+#include <linux/audit.h>
+#include <asm/unistd.h>
+
+static unsigned dir_class[] = {
+#include <asm-generic/audit_dir_write.h>
+~0U
+};
+
+static unsigned read_class[] = {
+#include <asm-generic/audit_read.h>
+~0U
+};
+
+static unsigned write_class[] = {
+#include <asm-generic/audit_write.h>
+~0U
+};
+
+static unsigned chattr_class[] = {
+#include <asm-generic/audit_change_attr.h>
+~0U
+};
+
+static unsigned signal_class[] = {
+#include <asm-generic/audit_signal.h>
+~0U
+};
+
+int audit_classify_arch(int arch)
+{
+	return 0;
+}
+
+int audit_classify_syscall(int abi, unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	case __NR_execve:
+		return 5;
+	default:
+		return 0;
+	}
+}
+
+static int __init audit_classes_init(void)
+{
+	audit_register_class(AUDIT_CLASS_WRITE, write_class);
+	audit_register_class(AUDIT_CLASS_READ, read_class);
+	audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
+	audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
+	audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
+	return 0;
+}
+
+__initcall(audit_classes_init);
@@ -465,7 +465,11 @@
 	.cfi_rel_offset	$16, SP_OFF+24
 	.cfi_rel_offset	$17, SP_OFF+32
 	.cfi_rel_offset	$18, SP_OFF+40
-	blbs	$3, strace
+#ifdef CONFIG_AUDITSYSCALL
+	lda     $6, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+	and     $3, $6, $3
+#endif
+	bne     $3, strace
 	beq	$4, 1f
 	ldq	$27, 0($5)
 1:	jsr	$26, ($27), alpha_ni_syscall
@@ -14,6 +14,7 @@
 #include <linux/security.h>
 #include <linux/signal.h>
 #include <linux/tracehook.h>
+#include <linux/audit.h>
  
 #include <asm/uaccess.h>
 #include <asm/pgtable.h>
  
  
@@ -316,15 +317,18 @@
 asmlinkage unsigned long syscall_trace_enter(void)
 {
 	unsigned long ret = 0;
+	struct pt_regs *regs = current_pt_regs();
 	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
 	    tracehook_report_syscall_entry(current_pt_regs()))
 		ret = -1UL;
+	audit_syscall_entry(AUDIT_ARCH_ALPHA, regs->r0, regs->r16, regs->r17, regs->r18, regs->r19);
 	return ret ?: current_pt_regs()->r0;
 }
  
 asmlinkage void
 syscall_trace_leave(void)
 {
+	audit_syscall_exit(current_pt_regs());
 	if (test_thread_flag(TIF_SYSCALL_TRACE))
 		tracehook_report_syscall_exit(current_pt_regs(), 0);
 }
@@ -284,7 +284,7 @@
  
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
...	...	@@ -17,6 +17,7 @@
17	17	select ARCH_WANT_IPC_PARSE_VERSION
18	18	select ARCH_HAVE_NMI_SAFE_CMPXCHG
19	19	select ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE
	20	+ select AUDIT_ARCH
20	21	select GENERIC_CLOCKEVENTS
21	22	select GENERIC_SMP_IDLE_THREAD
22	23	select GENERIC_STRNCPY_FROM_USER
...	...	@@ -77,6 +78,8 @@
77	78	source "init/Kconfig"
78	79	source "kernel/Kconfig.freezer"
79	80
	81	+config AUDIT_ARCH
	82	+ bool
80	83
81	84	menu "System setup"
82	85
...	...	@@ -19,5 +19,10 @@
19	19
20	20	#define force_successful_syscall_return() (current_pt_regs()->r0 = 0)
21	21
	22	+static inline unsigned long regs_return_value(struct pt_regs *regs)
	23	+{
	24	+ return regs->r0;
	25	+}
	26	+
22	27	#endif
...	...	@@ -70,6 +70,7 @@
70	70	#define TIF_NOTIFY_RESUME 1 /* callback before returning to user */
71	71	#define TIF_SIGPENDING 2 /* signal pending */
72	72	#define TIF_NEED_RESCHED 3 /* rescheduling necessary */
	73	+#define TIF_SYSCALL_AUDIT 4 /* syscall audit active */
73	74	#define TIF_DIE_IF_KERNEL 9 /* dik recursion lock */
74	75	#define TIF_MEMDIE 13 /* is terminating due to OOM killer */
75	76
...	...	@@ -77,6 +78,7 @@
77	78	#define _TIF_SIGPENDING (1<<TIF_SIGPENDING)
78	79	#define _TIF_NEED_RESCHED (1<<TIF_NEED_RESCHED)
79	80	#define _TIF_NOTIFY_RESUME (1<<TIF_NOTIFY_RESUME)
	81	+#define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
80	82
81	83	/* Work to do on interrupt/exception return. */
82	84	#define _TIF_WORK_MASK (_TIF_SIGPENDING \| _TIF_NEED_RESCHED \| \
...	...	@@ -17,6 +17,7 @@
17	17	obj-$(CONFIG_MODULES) += module.o
18	18	obj-$(CONFIG_PERF_EVENTS) += perf_event.o
19	19	obj-$(CONFIG_RTC_DRV_ALPHA) += rtc.o
	20	+obj-$(CONFIG_AUDIT) += audit.o
20	21
21	22	ifdef CONFIG_ALPHA_GENERIC
22	23
	1	+#include <linux/init.h>
	2	+#include <linux/types.h>
	3	+#include <linux/audit.h>
	4	+#include <asm/unistd.h>
	5	+
	6	+static unsigned dir_class[] = {
	7	+#include <asm-generic/audit_dir_write.h>
	8	+~0U
	9	+};
	10	+
	11	+static unsigned read_class[] = {
	12	+#include <asm-generic/audit_read.h>
	13	+~0U
	14	+};
	15	+
	16	+static unsigned write_class[] = {
	17	+#include <asm-generic/audit_write.h>
	18	+~0U
	19	+};
	20	+
	21	+static unsigned chattr_class[] = {
	22	+#include <asm-generic/audit_change_attr.h>
	23	+~0U
	24	+};
	25	+
	26	+static unsigned signal_class[] = {
	27	+#include <asm-generic/audit_signal.h>
	28	+~0U
	29	+};
	30	+
	31	+int audit_classify_arch(int arch)
	32	+{
	33	+ return 0;
	34	+}
	35	+
	36	+int audit_classify_syscall(int abi, unsigned syscall)
	37	+{
	38	+ switch(syscall) {
	39	+ case __NR_open:
	40	+ return 2;
	41	+ case __NR_openat:
	42	+ return 3;
	43	+ case __NR_execve:
	44	+ return 5;
	45	+ default:
	46	+ return 0;
	47	+ }
	48	+}
	49	+
	50	+static int __init audit_classes_init(void)
	51	+{
	52	+ audit_register_class(AUDIT_CLASS_WRITE, write_class);
	53	+ audit_register_class(AUDIT_CLASS_READ, read_class);
	54	+ audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
	55	+ audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
	56	+ audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
	57	+ return 0;
	58	+}
	59	+
	60	+__initcall(audit_classes_init);
...	...	@@ -465,7 +465,11 @@
465	465	.cfi_rel_offset $16, SP_OFF+24
466	466	.cfi_rel_offset $17, SP_OFF+32
467	467	.cfi_rel_offset $18, SP_OFF+40
468		- blbs $3, strace
	468	+#ifdef CONFIG_AUDITSYSCALL
	469	+ lda $6, _TIF_SYSCALL_TRACE \| _TIF_SYSCALL_AUDIT
	470	+ and $3, $6, $3
	471	+#endif
	472	+ bne $3, strace
469	473	beq $4, 1f
470	474	ldq $27, 0($5)
471	475	1: jsr $26, ($27), alpha_ni_syscall
...	...	@@ -14,6 +14,7 @@
14	14	#include <linux/security.h>
15	15	#include <linux/signal.h>
16	16	#include <linux/tracehook.h>
	17	+#include <linux/audit.h>
17	18
18	19	#include <asm/uaccess.h>
19	20	#include <asm/pgtable.h>
20	21
21	22
...	...	@@ -316,15 +317,18 @@
316	317	asmlinkage unsigned long syscall_trace_enter(void)
317	318	{
318	319	unsigned long ret = 0;
	320	+ struct pt_regs *regs = current_pt_regs();
319	321	if (test_thread_flag(TIF_SYSCALL_TRACE) &&
320	322	tracehook_report_syscall_entry(current_pt_regs()))
321	323	ret = -1UL;
	324	+ audit_syscall_entry(AUDIT_ARCH_ALPHA, regs->r0, regs->r16, regs->r17, regs->r18, regs->r19);
322	325	return ret ?: current_pt_regs()->r0;
323	326	}
324	327
325	328	asmlinkage void
326	329	syscall_trace_leave(void)
327	330	{
	331	+ audit_syscall_exit(current_pt_regs());
328	332	if (test_thread_flag(TIF_SYSCALL_TRACE))
329	333	tracehook_report_syscall_exit(current_pt_regs(), 0);
330	334	}
...	...	@@ -284,7 +284,7 @@
284	284
285	285	config AUDITSYSCALL
286	286	bool "Enable system-call auditing support"
287		- depends on AUDIT && (X86 \|\| PARISC \|\| PPC \|\| S390 \|\| IA64 \|\| UML \|\| SPARC64 \|\| SUPERH \|\| (ARM && AEABI && !OABI_COMPAT))
	287	+ depends on AUDIT && (X86 \|\| PARISC \|\| PPC \|\| S390 \|\| IA64 \|\| UML \|\| SPARC64 \|\| SUPERH \|\| (ARM && AEABI && !OABI_COMPAT) \|\| ALPHA)
288	288	default y if SECURITY_SELINUX
289	289	help
290	290	Enable low-overhead system-call auditing infrastructure that