[PATCH 0/4] arm64: Add audit support

[PATCH 0/4] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds audit support on arm64.
The implementation is just like in other architectures,
and so I think little explanation is needed.

I verified this patch with some commands on both 64-bit rootfs
and 32-bit rootfs(, but only in little-endian):
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
What else?
(Thanks to Clayton for his cross-compiling patch)


I'd like to discuss about the following issues:
(issues)
* AUDIT_ARCH_*
  Why do we need to distiguish big-endian and little-endian? [2/4]
* AArch32
  We need to add a check for identifying the endian in 32-bit tasks. [3/4]
* syscall no in AArch32
  Currently all the definitions are added in unistd32.h with
  "ifdef __AARCH32_AUDITSYSCALL" to use asm-generic/audit_*.h. [3/4]
  "ifdef" is necessary to avoid a conflict with 64-bit definitions.
  Do we need a more sophisticated way?
* TIF_AUDITSYSCALL
  Most architectures, except x86, do not check TIF_AUDITSYSCALL. Why not? [4/4]
* Userspace audit package
  There are some missing syscall definitions in lib/aarch64_table.h.
  There is no support for AUDIT_ARCH_ARM (I mean LE. armeb is BE).


AKASHI Takahiro (4):
  audit: Enable arm64 support
  arm64: Add audit support
  arm64: audit: Add AArch32 support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig                   |    3 +
 arch/arm64/include/asm/audit32.h     |   12 ++
 arch/arm64/include/asm/ptrace.h      |    5 +
 arch/arm64/include/asm/syscall.h     |   18 ++
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/include/asm/unistd32.h    |  387 ++++++++++++++++++++++++++++++++++
 arch/arm64/kernel/Makefile           |    4 +
 arch/arm64/kernel/audit.c            |   77 +++++++
 arch/arm64/kernel/audit32.c          |   46 ++++
 arch/arm64/kernel/entry.S            |    3 +
 arch/arm64/kernel/ptrace.c           |   12 ++
 include/uapi/linux/audit.h           |    2 +
 init/Kconfig                         |    2 +-
 13 files changed, 571 insertions(+), 1 deletion(-)
 create mode 100644 arch/arm64/include/asm/audit32.h
 create mode 100644 arch/arm64/kernel/audit.c
 create mode 100644 arch/arm64/kernel/audit32.c

-- 
1.7.9.5

[PATCH 0/4] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds audit support on arm64.
The implementation is just like in other architectures,
and so I think little explanation is needed.

I verified this patch with some commands on both 64-bit rootfs
and 32-bit rootfs(, but only in little-endian):
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
What else?
(Thanks to Clayton for his cross-compiling patch)


I'd like to discuss about the following issues:
(issues)
* AUDIT_ARCH_*
  Why do we need to distiguish big-endian and little-endian? [2/4]
* AArch32
  We need to add a check for identifying the endian in 32-bit tasks. [3/4]
* syscall no in AArch32
  Currently all the definitions are added in unistd32.h with
  "ifdef __AARCH32_AUDITSYSCALL" to use asm-generic/audit_*.h. [3/4]
  "ifdef" is necessary to avoid a conflict with 64-bit definitions.
  Do we need a more sophisticated way?
* TIF_AUDITSYSCALL
  Most architectures, except x86, do not check TIF_AUDITSYSCALL. Why not? [4/4]
* Userspace audit package
  There are some missing syscall definitions in lib/aarch64_table.h.
  There is no support for AUDIT_ARCH_ARM (I mean LE. armeb is BE).


AKASHI Takahiro (4):
  audit: Enable arm64 support
  arm64: Add audit support
  arm64: audit: Add AArch32 support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig                   |    3 +
 arch/arm64/include/asm/audit32.h     |   12 ++
 arch/arm64/include/asm/ptrace.h      |    5 +
 arch/arm64/include/asm/syscall.h     |   18 ++
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/include/asm/unistd32.h    |  387 ++++++++++++++++++++++++++++++++++
 arch/arm64/kernel/Makefile           |    4 +
 arch/arm64/kernel/audit.c            |   77 +++++++
 arch/arm64/kernel/audit32.c          |   46 ++++
 arch/arm64/kernel/entry.S            |    3 +
 arch/arm64/kernel/ptrace.c           |   12 ++
 include/uapi/linux/audit.h           |    2 +
 init/Kconfig                         |    2 +-
 13 files changed, 571 insertions(+), 1 deletion(-)
 create mode 100644 arch/arm64/include/asm/audit32.h
 create mode 100644 arch/arm64/kernel/audit.c
 create mode 100644 arch/arm64/kernel/audit32.c

-- 
1.7.9.5

[PATCH 1/4] audit: Enable arm64 support

[AKASHI Takahiro]

---
 include/uapi/linux/audit.h |    2 ++
 init/Kconfig               |    2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 75cef3f..6f727c1 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -324,6 +324,8 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
diff --git a/init/Kconfig b/init/Kconfig
index 3ecd8a1..2220401 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -284,7 +284,7 @@ config AUDIT
 
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH 1/4] audit: Enable arm64 support

[AKASHI Takahiro]

---
 include/uapi/linux/audit.h |    2 ++
 init/Kconfig               |    2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 75cef3f..6f727c1 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -324,6 +324,8 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
diff --git a/init/Kconfig b/init/Kconfig
index 3ecd8a1..2220401 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -284,7 +284,7 @@ config AUDIT
 
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on AUDIT && (X86 || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH 2/4] arm64: Add audit support

[AKASHI Takahiro]

---
 arch/arm64/Kconfig               |    3 ++
 arch/arm64/include/asm/ptrace.h  |    5 ++++
 arch/arm64/include/asm/syscall.h |   18 ++++++++++++
 arch/arm64/kernel/Makefile       |    1 +
 arch/arm64/kernel/audit.c        |   59 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 86 insertions(+)
 create mode 100644 arch/arm64/kernel/audit.c

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index c044548..263c10b 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -46,6 +46,9 @@ config 64BIT
 config ARCH_PHYS_ADDR_T_64BIT
 	def_bool y
 
+config AUDIT_ARCH
+	def_bool y
+
 config MMU
 	def_bool y
 
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0dacbbf..964f4f6 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -133,6 +133,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 89c047f..03040ac 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,10 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <linux/sched.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -98,4 +101,19 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+static inline int syscall_get_arch(struct task_struct *task,
+                                   struct pt_regs *regs)
+{
+#ifdef CONFIG_COMPAT
+        if (is_compat_thread(task_thread_info(task)))
+                return AUDIT_ARCH_ARM; /* FIXME: big endian? */
+#endif
+
+#ifdef __AARCH64EB__
+        return AUDIT_ARCH_AARCH64EB;
+#else
+        return AUDIT_ARCH_AARCH64;
+#endif
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index 7b4b564..3abab29 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -11,6 +11,7 @@ arm64-obj-y		:= cputable.o debug-monitors.o entry.o irq.o fpsimd.o	\
 			   sys.o stacktrace.o time.o traps.o io.o vdso.o	\
 			   hyp-stub.o psci.o
 
+arm64-obj-$(CONFIG_AUDIT)		+= audit.o
 arm64-obj-$(CONFIG_COMPAT)		+= sys32.o kuser32.o signal32.o 	\
 					   sys_compat.o
 arm64-obj-$(CONFIG_MODULES)		+= arm64ksyms.o module.o
diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c
new file mode 100644
index 0000000..9aab2b3
--- /dev/null
+++ b/arch/arm64/kernel/audit.c
@@ -0,0 +1,59 @@
+#include <linux/audit.h>
+#include <linux/init.h>
+#include <asm/unistd.h>
+
+static unsigned dir_class[] = {
+#include <asm-generic/audit_dir_write.h>
+~0U
+};
+
+static unsigned read_class[] = {
+#include <asm-generic/audit_read.h>
+~0U
+};
+
+static unsigned write_class[] = {
+#include <asm-generic/audit_write.h>
+~0U
+};
+
+static unsigned chattr_class[] = {
+#include <asm-generic/audit_change_attr.h>
+~0U
+};
+
+static unsigned signal_class[] = {
+#include <asm-generic/audit_signal.h>
+~0U
+};
+
+int audit_classify_arch(int arch)
+{
+	return 0; /* native */
+}
+
+/* AUTH_PERM support */
+int audit_classify_syscall(int abi, unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_openat:
+		return 3;
+	case __NR_execve:
+		return 5;
+	default:
+		return 0; /* native */
+	}
+}
+
+static int __init audit_classes_init(void)
+{
+	audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
+	audit_register_class(AUDIT_CLASS_READ, read_class);
+	audit_register_class(AUDIT_CLASS_WRITE, write_class);
+	audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
+	audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
+
+	return 0;
+}
+
+__initcall(audit_classes_init);
-- 
1.7.9.5

[PATCH 2/4] arm64: Add audit support

[AKASHI Takahiro]

---
 arch/arm64/Kconfig               |    3 ++
 arch/arm64/include/asm/ptrace.h  |    5 ++++
 arch/arm64/include/asm/syscall.h |   18 ++++++++++++
 arch/arm64/kernel/Makefile       |    1 +
 arch/arm64/kernel/audit.c        |   59 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 86 insertions(+)
 create mode 100644 arch/arm64/kernel/audit.c

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index c044548..263c10b 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -46,6 +46,9 @@ config 64BIT
 config ARCH_PHYS_ADDR_T_64BIT
 	def_bool y
 
+config AUDIT_ARCH
+	def_bool y
+
 config MMU
 	def_bool y
 
diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0dacbbf..964f4f6 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -133,6 +133,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 89c047f..03040ac 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,10 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <linux/sched.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -98,4 +101,19 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+static inline int syscall_get_arch(struct task_struct *task,
+                                   struct pt_regs *regs)
+{
+#ifdef CONFIG_COMPAT
+        if (is_compat_thread(task_thread_info(task)))
+                return AUDIT_ARCH_ARM; /* FIXME: big endian? */
+#endif
+
+#ifdef __AARCH64EB__
+        return AUDIT_ARCH_AARCH64EB;
+#else
+        return AUDIT_ARCH_AARCH64;
+#endif
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index 7b4b564..3abab29 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -11,6 +11,7 @@ arm64-obj-y		:= cputable.o debug-monitors.o entry.o irq.o fpsimd.o	\
 			   sys.o stacktrace.o time.o traps.o io.o vdso.o	\
 			   hyp-stub.o psci.o
 
+arm64-obj-$(CONFIG_AUDIT)		+= audit.o
 arm64-obj-$(CONFIG_COMPAT)		+= sys32.o kuser32.o signal32.o 	\
 					   sys_compat.o
 arm64-obj-$(CONFIG_MODULES)		+= arm64ksyms.o module.o
diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c
new file mode 100644
index 0000000..9aab2b3
--- /dev/null
+++ b/arch/arm64/kernel/audit.c
@@ -0,0 +1,59 @@
+#include <linux/audit.h>
+#include <linux/init.h>
+#include <asm/unistd.h>
+
+static unsigned dir_class[] = {
+#include <asm-generic/audit_dir_write.h>
+~0U
+};
+
+static unsigned read_class[] = {
+#include <asm-generic/audit_read.h>
+~0U
+};
+
+static unsigned write_class[] = {
+#include <asm-generic/audit_write.h>
+~0U
+};
+
+static unsigned chattr_class[] = {
+#include <asm-generic/audit_change_attr.h>
+~0U
+};
+
+static unsigned signal_class[] = {
+#include <asm-generic/audit_signal.h>
+~0U
+};
+
+int audit_classify_arch(int arch)
+{
+	return 0; /* native */
+}
+
+/* AUTH_PERM support */
+int audit_classify_syscall(int abi, unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_openat:
+		return 3;
+	case __NR_execve:
+		return 5;
+	default:
+		return 0; /* native */
+	}
+}
+
+static int __init audit_classes_init(void)
+{
+	audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
+	audit_register_class(AUDIT_CLASS_READ, read_class);
+	audit_register_class(AUDIT_CLASS_WRITE, write_class);
+	audit_register_class(AUDIT_CLASS_CHATTR, chattr_class);
+	audit_register_class(AUDIT_CLASS_SIGNAL, signal_class);
+
+	return 0;
+}
+
+__initcall(audit_classes_init);
-- 
1.7.9.5

[PATCH 3/4] arm64: audit: Add AArch32 support

[AKASHI Takahiro]

---
 arch/arm64/include/asm/audit32.h  |   12 ++
 arch/arm64/include/asm/unistd32.h |  387 +++++++++++++++++++++++++++++++++++++
 arch/arm64/kernel/Makefile        |    3 +
 arch/arm64/kernel/audit.c         |   18 ++
 arch/arm64/kernel/audit32.c       |   46 +++++
 5 files changed, 466 insertions(+)
 create mode 100644 arch/arm64/include/asm/audit32.h
 create mode 100644 arch/arm64/kernel/audit32.c

diff --git a/arch/arm64/include/asm/audit32.h b/arch/arm64/include/asm/audit32.h
new file mode 100644
index 0000000..debfe57
--- /dev/null
+++ b/arch/arm64/include/asm/audit32.h
@@ -0,0 +1,12 @@
+#ifndef __ASM_AUDIT32_H
+#define __ASM_AUDIT32_H
+
+extern unsigned aarch32_dir_class[];
+extern unsigned aarch32_read_class[];
+extern unsigned aarch32_write_class[];
+extern unsigned aarch32_chattr_class[];
+extern unsigned aarch32_signal_class[];
+
+extern int aarch32_classify_syscall(unsigned);
+
+#endif /* __ASM_AUDIT32_H */
diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h
index 58125bf..fdf5e56 100644
--- a/arch/arm64/include/asm/unistd32.h
+++ b/arch/arm64/include/asm/unistd32.h
@@ -21,6 +21,393 @@
 #define __SYSCALL(x, y)
 #endif
 
+#ifdef __AARCH32_AUDITSYSCALL
+/*
+ * FIXME: Currenty only audit uses (part of) these definitions.
+ * See audit32.c
+ */
+#define __NR_restart_syscall 0
+#define __NR_exit 1
+#define __NR_fork 2
+#define __NR_read 3
+#define __NR_write 4
+#define __NR_open 5
+#define __NR_close 6
+/* 7 was waitpid */
+#define __NR_creat 8
+#define __NR_link 9
+#define __NR_unlink 10
+#define __NR_execve 11
+#define __NR_chdir 12
+/* #define __NR_ni_syscall 13 :time */
+#define __NR_mknod 14
+#define __NR_chmod 15
+#define __NR_lchown16 16
+/* 17 was break */
+/* 18 was stat */
+#define __NR_lseek 19
+#define __NR_getpid 20
+#define __NR_mount 21
+/* #define __NR_ni_syscall 22 :umount */
+#define __NR_setuid16 23
+#define __NR_getuid16 24
+/* #define __NR_ni_syscall 25 :stime */
+#define __NR_ptrace 26
+/* #define __NR_ni_syscall 27 :alarm */
+/* 28 was fstat */
+#define __NR_pause 29
+/* #define __NR_ni_syscall 30 :utime */
+/* 31 was stty */
+/* 32 was gtty */
+#define __NR_access 33
+#define __NR_nice 34
+/* 35 was ftime */
+#define __NR_sync 36
+#define __NR_kill 37
+#define __NR_rename 38
+#define __NR_mkdir 39
+#define __NR_rmdir 40
+#define __NR_dup 41
+#define __NR_pipe 42
+#define __NR_times 43
+/* 44 was prof */
+#define __NR_brk 45
+#define __NR_setgid16 46
+#define __NR_getgid16 47
+/* 48 was signal */
+#define __NR_geteuid16 49
+#define __NR_getegid16 50
+#define __NR_acct 51
+#define __NR_umount 52
+/* 53 was lock */
+#define __NR_ioctl 54
+#define __NR_fcntl 55
+/* 56 was mpx */
+#define __NR_setpgid 57
+/* 58 was ulimit */
+/* 59 was olduname */
+#define __NR_umask 60
+#define __NR_chroot 61
+#define __NR_ustat 62
+#define __NR_dup2 63
+#define __NR_getppid 64
+#define __NR_getpgrp 65
+#define __NR_setsid 66
+#define __NR_sigaction 67
+/* 68 was sgetmask */
+/* 69 was ssetmask */
+#define __NR_setreuid16 70
+#define __NR_setregid16 71
+#define __NR_sigsuspend 72
+#define __NR_sigpending 73
+#define __NR_sethostname 74
+#define __NR_setrlimit 75
+/* #define __NR_ni_syscall 76 :getrlimit */
+#define __NR_getrusage 77
+#define __NR_gettimeofday 78
+#define __NR_settimeofday 79
+#define __NR_getgroups16 80
+#define __NR_setgroups16 81
+/* #define __NR_ni_syscall 82 :select */
+#define __NR_symlink 83
+/* 84 was lstat */
+#define __NR_readlink 85
+#define __NR_uselib 86
+#define __NR_swapon 87
+#define __NR_reboot 88
+/* #define __NR_ni_syscall 89 :readdir */
+/* #define __NR_ni_syscall 90 :mmap */
+#define __NR_munmap 91
+#define __NR_truncate 92
+#define __NR_ftruncate 93
+#define __NR_fchmod 94
+#define __NR_fchown16 95
+#define __NR_getpriority 96
+#define __NR_setpriority 97
+/* 98 was profil */
+#define __NR_statfs 99
+#define __NR_fstatfs 100
+/* 101 was ioperm */
+/* 102 was socketcall */
+#define __NR_syslog 103
+#define __NR_setitimer 104
+#define __NR_getitimer 105
+#define __NR_newstat 106
+#define __NR_newlstat 107
+#define __NR_newfstat 108
+/* 109 was uname */
+/* 110 was iopl */
+#define __NR_vhangup 111
+/* 112 was idle */
+/* #define __NR_ni_syscall 113 :syscall */
+#define __NR_wait4 114
+#define __NR_swapoff 115
+#define __NR_sysinfo 116
+/* #define __NR_ni_syscall 117 :ipc */
+#define __NR_fsync 118
+#define __NR_sigreturn 119
+#define __NR_clone 120
+#define __NR_setdomainname 121
+#define __NR_newuname 122
+/* 123 was modify_ldt */
+#define __NR_adjtimex 124
+#define __NR_mprotect 125
+#define __NR_sigprocmask 126
+/* 127 was create_module */
+#define __NR_init_module 128
+#define __NR_delete_module 129
+/* 130 was get_kernel_syms */
+#define __NR_quotactl 131
+#define __NR_getpgid 132
+#define __NR_fchdir 133
+#define __NR_bdflush 134
+#define __NR_sysfs 135
+#define __NR_personality 136
+/* 137 was afs_syscall */
+#define __NR_setfsuid16 138
+#define __NR_setfsgid16 139
+#define __NR_llseek 140
+#define __NR_getdents 141
+#define __NR_select 142
+#define __NR_flock 143
+#define __NR_msync 144
+#define __NR_readv 145
+#define __NR_writev 146
+#define __NR_getsid 147
+#define __NR_fdatasync 148
+#define __NR_sysctl 149
+#define __NR_mlock 150
+#define __NR_munlock 151
+#define __NR_mlockall 152
+#define __NR_munlockall 153
+#define __NR_sched_setparam 154
+#define __NR_sched_getparam 155
+#define __NR_sched_setscheduler 156
+#define __NR_sched_getscheduler 157
+#define __NR_sched_yield 158
+#define __NR_sched_get_priority_max 159
+#define __NR_sched_get_priority_min 160
+#define __NR_sched_rr_get_interval 161
+#define __NR_nanosleep 162
+#define __NR_mremap 163
+#define __NR_setresuid16 164
+#define __NR_getresuid16 165
+/* 166 was vm86 */
+/* 167 was query_module */
+#define __NR_poll 168
+/* #define __NR_ni_syscall 169 :nfsservctl */
+#define __NR_setresgid16 170
+#define __NR_getresgid16 171
+#define __NR_prctl 172
+#define __NR_rt_sigreturn 173
+#define __NR_rt_sigaction 174
+#define __NR_rt_sigprocmask 175
+#define __NR_rt_sigpending 176
+#define __NR_rt_sigtimedwait 177
+#define __NR_rt_sigqueueinfo 178
+#define __NR_rt_sigsuspend 179
+#define __NR_pread64 180
+#define __NR_pwrite64 181
+#define __NR_chown16 182
+#define __NR_getcwd 183
+#define __NR_capget 184
+#define __NR_capset 185
+#define __NR_sigaltstack 186
+#define __NR_sendfile 187
+/* 188 reserved */
+/* 189 reserved */
+#define __NR_vfork 190
+#define __NR_getrlimit 191
+#define __NR_mmap_pgoff 192
+#define __NR_truncate64 193
+#define __NR_ftruncate64 194
+#define __NR_stat64 195
+#define __NR_lstat64 196
+#define __NR_fstat64 197
+#define __NR_lchown 198
+#define __NR_getuid 199
+#define __NR_getgid 200
+#define __NR_geteuid 201
+#define __NR_getegid 202
+#define __NR_setreuid 203
+#define __NR_setregid 204
+#define __NR_getgroups 205
+#define __NR_setgroups 206
+#define __NR_fchown 207
+#define __NR_setresuid 208
+#define __NR_getresuid 209
+#define __NR_setresgid 210
+#define __NR_getresgid 211
+#define __NR_chown 212
+#define __NR_setuid 213
+#define __NR_setgid 214
+#define __NR_setfsuid 215
+#define __NR_setfsgid 216
+#define __NR_getdents64 217
+#define __NR_pivot_root 218
+#define __NR_mincore 219
+#define __NR_madvise 220
+#define __NR_fcntl64 221
+/* 222 was tux */
+/* 223 reserved */
+#define __NR_gettid 224
+#define __NR_readahead 225
+#define __NR_setxattr 226
+#define __NR_lsetxattr 227
+#define __NR_fsetxattr 228
+#define __NR_getxattr 229
+#define __NR_lgetxattr 230
+#define __NR_fgetxattr 231
+#define __NR_listxattr 232
+#define __NR_llistxattr 233
+#define __NR_flistxattr 234
+#define __NR_removexattr 235
+#define __NR_lremovexattr 236
+#define __NR_fremovexattr 237
+#define __NR_tkill 238
+#define __NR_sendfile64 239
+#define __NR_futex 240
+#define __NR_sched_setaffinity 241
+#define __NR_sched_getaffinity 242
+#define __NR_io_setup 243
+#define __NR_io_destroy 244
+#define __NR_io_getevents 245
+#define __NR_io_submit 246
+#define __NR_io_cancel 247
+#define __NR_exit_group 248
+#define __NR_lookup_dcookie 249
+#define __NR_epoll_create 250
+#define __NR_epoll_ctl 251
+#define __NR_epoll_wait 252
+#define __NR_remap_file_pages 253
+/* 254 was set_thread_area */
+/* 255 was get_thread_area */
+#define __NR_set_tid_address 256
+#define __NR_timer_create 257
+#define __NR_timer_settime 258
+#define __NR_timer_gettime 259
+#define __NR_timer_getoverrun 260
+#define __NR_timer_delete 261
+#define __NR_clock_settime 262
+#define __NR_clock_gettime 263
+#define __NR_clock_getres 264
+#define __NR_clock_nanosleep 265
+#define __NR_statfs64 266
+#define __NR_fstatfs64 267
+#define __NR_tgkill 268
+#define __NR_utimes 269
+#define __NR_fadvise64_64 270
+#define __NR_pciconfig_iobase 271
+#define __NR_pciconfig_read 272
+#define __NR_pciconfig_write 273
+#define __NR_mq_open 274
+#define __NR_mq_unlink 275
+#define __NR_mq_timedsend 276
+#define __NR_mq_timedreceive 277
+#define __NR_mq_notify 278
+#define __NR_mq_getsetattr 279
+#define __NR_waitid 280
+#define __NR_socket 281
+#define __NR_bind 282
+#define __NR_connect 283
+#define __NR_listen 284
+#define __NR_accept 285
+#define __NR_getsockname 286
+#define __NR_getpeername 287
+#define __NR_socketpair 288
+#define __NR_send 289
+#define __NR_sendto 290
+#define __NR_recv 291
+#define __NR_recvfrom 292
+#define __NR_shutdown 293
+#define __NR_setsockopt 294
+#define __NR_getsockopt 295
+#define __NR_sendmsg 296
+#define __NR_recvmsg 297
+#define __NR_semop 298
+#define __NR_semget 299
+#define __NR_semctl 300
+#define __NR_msgsnd 301
+#define __NR_msgrcv 302
+#define __NR_msgget 303
+#define __NR_msgctl 304
+#define __NR_shmat 305
+#define __NR_shmdt 306
+#define __NR_shmget 307
+#define __NR_shmctl 308
+#define __NR_add_key 309
+#define __NR_request_key 310
+#define __NR_keyctl 311
+#define __NR_semtimedop 312
+/* #define __NR_ni_syscall 313 :vserver */
+#define __NR_ioprio_set 314
+#define __NR_ioprio_get 315
+#define __NR_inotify_init 316
+#define __NR_inotify_add_watch 317
+#define __NR_inotify_rm_watch 318
+#define __NR_mbind 319
+#define __NR_get_mempolicy 320
+#define __NR_set_mempolicy 321
+#define __NR_openat 322
+#define __NR_mkdirat 323
+#define __NR_mknodat 324
+#define __NR_fchownat 325
+#define __NR_futimesat 326
+#define __NR_fstatat64 327
+#define __NR_unlinkat 328
+#define __NR_renameat 329
+#define __NR_linkat 330
+#define __NR_symlinkat 331
+#define __NR_readlinkat 332
+#define __NR_fchmodat 333
+#define __NR_faccessat 334
+#define __NR_pselect6 335
+#define __NR_ppoll 336
+#define __NR_unshare 337
+#define __NR_set_robust_list 338
+#define __NR_get_robust_list 339
+#define __NR_splice 340
+#define __NR_sync_file_range2 341
+#define __NR_tee 342
+#define __NR_vmsplice 343
+#define __NR_move_pages 344
+#define __NR_getcpu 345
+#define __NR_epoll_pwait 346
+#define __NR_kexec_load 347
+#define __NR_utimensat 348
+#define __NR_signalfd 349
+#define __NR_timerfd_create 350
+#define __NR_eventfd 351
+#define __NR_fallocate 352
+#define __NR_timerfd_settime 353
+#define __NR_timerfd_gettime 354
+#define __NR_signalfd4 355
+#define __NR_eventfd2 356
+#define __NR_epoll_create1 357
+#define __NR_dup3 358
+#define __NR_pipe2 359
+#define __NR_inotify_init1 360
+#define __NR_preadv 361
+#define __NR_pwritev 362
+#define __NR_rt_tgsigqueueinfo 363
+#define __NR_perf_event_open 364
+#define __NR_recvmmsg 365
+#define __NR_accept4 366
+#define __NR_fanotify_init 367
+#define __NR_fanotify_mark 368
+#define __NR_prlimit64 369
+#define __NR_name_to_handle_at 370
+#define __NR_open_by_handle_at 371
+#define __NR_clock_adjtime 372
+#define __NR_syncfs 373
+#define __NR_sendmmsg 374
+#define __NR_setns 375
+#define __NR_process_vm_readv 376
+#define __NR_process_vm_writev 377
+/* 378 was kcmp */
+/* 389 was finit_module */
+#endif
+
 __SYSCALL(0,   sys_restart_syscall)
 __SYSCALL(1,   sys_exit)
 __SYSCALL(2,   sys_fork)
diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index 3abab29..0286b91 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -12,6 +12,9 @@ arm64-obj-y		:= cputable.o debug-monitors.o entry.o irq.o fpsimd.o	\
 			   hyp-stub.o psci.o
 
 arm64-obj-$(CONFIG_AUDIT)		+= audit.o
+ifeq ($(CONFIG_COMPAT),y)
+arm64-obj-$(CONFIG_AUDIT)		+= audit32.o
+endif
 arm64-obj-$(CONFIG_COMPAT)		+= sys32.o kuser32.o signal32.o 	\
 					   sys_compat.o
 arm64-obj-$(CONFIG_MODULES)		+= arm64ksyms.o module.o
diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c
index 9aab2b3..799eb55 100644
--- a/arch/arm64/kernel/audit.c
+++ b/arch/arm64/kernel/audit.c
@@ -1,5 +1,8 @@
 #include <linux/audit.h>
 #include <linux/init.h>
+#ifdef CONFIG_COMPAT
+#include <asm/audit32.h>
+#endif
 #include <asm/unistd.h>
 
 static unsigned dir_class[] = {
@@ -29,12 +32,20 @@ static unsigned signal_class[] = {
 
 int audit_classify_arch(int arch)
 {
+#ifdef CONFIG_COMPAT
+	if (arch == AUDIT_ARCH_ARM || arch == AUDIT_ARCH_ARMEB)
+		return 1; /* 32-bit on biarch */
+#endif
 	return 0; /* native */
 }
 
 /* AUTH_PERM support */
 int audit_classify_syscall(int abi, unsigned syscall)
 {
+#ifdef CONFIG_COMPAT
+	if (abi == AUDIT_ARCH_ARM || abi == AUDIT_ARCH_ARMEB)
+		return aarch32_classify_syscall(syscall);
+#endif
 	switch(syscall) {
 	case __NR_openat:
 		return 3;
@@ -47,6 +58,13 @@ int audit_classify_syscall(int abi, unsigned syscall)
 
 static int __init audit_classes_init(void)
 {
+#ifdef CONFIG_COMPAT
+	audit_register_class(AUDIT_CLASS_DIR_WRITE_32, aarch32_dir_class);
+	audit_register_class(AUDIT_CLASS_READ_32, aarch32_read_class);
+	audit_register_class(AUDIT_CLASS_WRITE_32, aarch32_write_class);
+	audit_register_class(AUDIT_CLASS_CHATTR_32, aarch32_chattr_class);
+	audit_register_class(AUDIT_CLASS_SIGNAL_32, aarch32_signal_class);
+#endif
 	audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
 	audit_register_class(AUDIT_CLASS_READ, read_class);
 	audit_register_class(AUDIT_CLASS_WRITE, write_class);
diff --git a/arch/arm64/kernel/audit32.c b/arch/arm64/kernel/audit32.c
new file mode 100644
index 0000000..2aa4d7d
--- /dev/null
+++ b/arch/arm64/kernel/audit32.c
@@ -0,0 +1,46 @@
+#define __AARCH32_AUDITSYSCALL
+#include <asm/unistd32.h>
+
+unsigned aarch32_dir_class[] = {
+#include <asm-generic/audit_dir_write.h>
+~0U
+};
+
+unsigned aarch32_read_class[] = {
+#include <asm-generic/audit_read.h>
+~0U
+};
+
+unsigned aarch32_write_class[] = {
+#include <asm-generic/audit_write.h>
+~0U
+};
+
+unsigned aarch32_chattr_class[] = {
+#include <asm-generic/audit_change_attr.h>
+~0U
+};
+
+unsigned aarch32_signal_class[] = {
+#include <asm-generic/audit_signal.h>
+~0U
+};
+
+int aarch32_classify_syscall(unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	/*
+	 * obsolute in EABI
+	 * case __NR_socketcall:
+	 *	return 4;
+	 */
+	case __NR_execve:
+		return 5;
+	default:
+		return 1; /* 32-bit on biarch */
+	}
+}
-- 
1.7.9.5

[PATCH 3/4] arm64: audit: Add AArch32 support

[AKASHI Takahiro]

---
 arch/arm64/include/asm/audit32.h  |   12 ++
 arch/arm64/include/asm/unistd32.h |  387 +++++++++++++++++++++++++++++++++++++
 arch/arm64/kernel/Makefile        |    3 +
 arch/arm64/kernel/audit.c         |   18 ++
 arch/arm64/kernel/audit32.c       |   46 +++++
 5 files changed, 466 insertions(+)
 create mode 100644 arch/arm64/include/asm/audit32.h
 create mode 100644 arch/arm64/kernel/audit32.c

diff --git a/arch/arm64/include/asm/audit32.h b/arch/arm64/include/asm/audit32.h
new file mode 100644
index 0000000..debfe57
--- /dev/null
+++ b/arch/arm64/include/asm/audit32.h
@@ -0,0 +1,12 @@
+#ifndef __ASM_AUDIT32_H
+#define __ASM_AUDIT32_H
+
+extern unsigned aarch32_dir_class[];
+extern unsigned aarch32_read_class[];
+extern unsigned aarch32_write_class[];
+extern unsigned aarch32_chattr_class[];
+extern unsigned aarch32_signal_class[];
+
+extern int aarch32_classify_syscall(unsigned);
+
+#endif /* __ASM_AUDIT32_H */
diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h
index 58125bf..fdf5e56 100644
--- a/arch/arm64/include/asm/unistd32.h
+++ b/arch/arm64/include/asm/unistd32.h
@@ -21,6 +21,393 @@
 #define __SYSCALL(x, y)
 #endif
 
+#ifdef __AARCH32_AUDITSYSCALL
+/*
+ * FIXME: Currenty only audit uses (part of) these definitions.
+ * See audit32.c
+ */
+#define __NR_restart_syscall 0
+#define __NR_exit 1
+#define __NR_fork 2
+#define __NR_read 3
+#define __NR_write 4
+#define __NR_open 5
+#define __NR_close 6
+/* 7 was waitpid */
+#define __NR_creat 8
+#define __NR_link 9
+#define __NR_unlink 10
+#define __NR_execve 11
+#define __NR_chdir 12
+/* #define __NR_ni_syscall 13 :time */
+#define __NR_mknod 14
+#define __NR_chmod 15
+#define __NR_lchown16 16
+/* 17 was break */
+/* 18 was stat */
+#define __NR_lseek 19
+#define __NR_getpid 20
+#define __NR_mount 21
+/* #define __NR_ni_syscall 22 :umount */
+#define __NR_setuid16 23
+#define __NR_getuid16 24
+/* #define __NR_ni_syscall 25 :stime */
+#define __NR_ptrace 26
+/* #define __NR_ni_syscall 27 :alarm */
+/* 28 was fstat */
+#define __NR_pause 29
+/* #define __NR_ni_syscall 30 :utime */
+/* 31 was stty */
+/* 32 was gtty */
+#define __NR_access 33
+#define __NR_nice 34
+/* 35 was ftime */
+#define __NR_sync 36
+#define __NR_kill 37
+#define __NR_rename 38
+#define __NR_mkdir 39
+#define __NR_rmdir 40
+#define __NR_dup 41
+#define __NR_pipe 42
+#define __NR_times 43
+/* 44 was prof */
+#define __NR_brk 45
+#define __NR_setgid16 46
+#define __NR_getgid16 47
+/* 48 was signal */
+#define __NR_geteuid16 49
+#define __NR_getegid16 50
+#define __NR_acct 51
+#define __NR_umount 52
+/* 53 was lock */
+#define __NR_ioctl 54
+#define __NR_fcntl 55
+/* 56 was mpx */
+#define __NR_setpgid 57
+/* 58 was ulimit */
+/* 59 was olduname */
+#define __NR_umask 60
+#define __NR_chroot 61
+#define __NR_ustat 62
+#define __NR_dup2 63
+#define __NR_getppid 64
+#define __NR_getpgrp 65
+#define __NR_setsid 66
+#define __NR_sigaction 67
+/* 68 was sgetmask */
+/* 69 was ssetmask */
+#define __NR_setreuid16 70
+#define __NR_setregid16 71
+#define __NR_sigsuspend 72
+#define __NR_sigpending 73
+#define __NR_sethostname 74
+#define __NR_setrlimit 75
+/* #define __NR_ni_syscall 76 :getrlimit */
+#define __NR_getrusage 77
+#define __NR_gettimeofday 78
+#define __NR_settimeofday 79
+#define __NR_getgroups16 80
+#define __NR_setgroups16 81
+/* #define __NR_ni_syscall 82 :select */
+#define __NR_symlink 83
+/* 84 was lstat */
+#define __NR_readlink 85
+#define __NR_uselib 86
+#define __NR_swapon 87
+#define __NR_reboot 88
+/* #define __NR_ni_syscall 89 :readdir */
+/* #define __NR_ni_syscall 90 :mmap */
+#define __NR_munmap 91
+#define __NR_truncate 92
+#define __NR_ftruncate 93
+#define __NR_fchmod 94
+#define __NR_fchown16 95
+#define __NR_getpriority 96
+#define __NR_setpriority 97
+/* 98 was profil */
+#define __NR_statfs 99
+#define __NR_fstatfs 100
+/* 101 was ioperm */
+/* 102 was socketcall */
+#define __NR_syslog 103
+#define __NR_setitimer 104
+#define __NR_getitimer 105
+#define __NR_newstat 106
+#define __NR_newlstat 107
+#define __NR_newfstat 108
+/* 109 was uname */
+/* 110 was iopl */
+#define __NR_vhangup 111
+/* 112 was idle */
+/* #define __NR_ni_syscall 113 :syscall */
+#define __NR_wait4 114
+#define __NR_swapoff 115
+#define __NR_sysinfo 116
+/* #define __NR_ni_syscall 117 :ipc */
+#define __NR_fsync 118
+#define __NR_sigreturn 119
+#define __NR_clone 120
+#define __NR_setdomainname 121
+#define __NR_newuname 122
+/* 123 was modify_ldt */
+#define __NR_adjtimex 124
+#define __NR_mprotect 125
+#define __NR_sigprocmask 126
+/* 127 was create_module */
+#define __NR_init_module 128
+#define __NR_delete_module 129
+/* 130 was get_kernel_syms */
+#define __NR_quotactl 131
+#define __NR_getpgid 132
+#define __NR_fchdir 133
+#define __NR_bdflush 134
+#define __NR_sysfs 135
+#define __NR_personality 136
+/* 137 was afs_syscall */
+#define __NR_setfsuid16 138
+#define __NR_setfsgid16 139
+#define __NR_llseek 140
+#define __NR_getdents 141
+#define __NR_select 142
+#define __NR_flock 143
+#define __NR_msync 144
+#define __NR_readv 145
+#define __NR_writev 146
+#define __NR_getsid 147
+#define __NR_fdatasync 148
+#define __NR_sysctl 149
+#define __NR_mlock 150
+#define __NR_munlock 151
+#define __NR_mlockall 152
+#define __NR_munlockall 153
+#define __NR_sched_setparam 154
+#define __NR_sched_getparam 155
+#define __NR_sched_setscheduler 156
+#define __NR_sched_getscheduler 157
+#define __NR_sched_yield 158
+#define __NR_sched_get_priority_max 159
+#define __NR_sched_get_priority_min 160
+#define __NR_sched_rr_get_interval 161
+#define __NR_nanosleep 162
+#define __NR_mremap 163
+#define __NR_setresuid16 164
+#define __NR_getresuid16 165
+/* 166 was vm86 */
+/* 167 was query_module */
+#define __NR_poll 168
+/* #define __NR_ni_syscall 169 :nfsservctl */
+#define __NR_setresgid16 170
+#define __NR_getresgid16 171
+#define __NR_prctl 172
+#define __NR_rt_sigreturn 173
+#define __NR_rt_sigaction 174
+#define __NR_rt_sigprocmask 175
+#define __NR_rt_sigpending 176
+#define __NR_rt_sigtimedwait 177
+#define __NR_rt_sigqueueinfo 178
+#define __NR_rt_sigsuspend 179
+#define __NR_pread64 180
+#define __NR_pwrite64 181
+#define __NR_chown16 182
+#define __NR_getcwd 183
+#define __NR_capget 184
+#define __NR_capset 185
+#define __NR_sigaltstack 186
+#define __NR_sendfile 187
+/* 188 reserved */
+/* 189 reserved */
+#define __NR_vfork 190
+#define __NR_getrlimit 191
+#define __NR_mmap_pgoff 192
+#define __NR_truncate64 193
+#define __NR_ftruncate64 194
+#define __NR_stat64 195
+#define __NR_lstat64 196
+#define __NR_fstat64 197
+#define __NR_lchown 198
+#define __NR_getuid 199
+#define __NR_getgid 200
+#define __NR_geteuid 201
+#define __NR_getegid 202
+#define __NR_setreuid 203
+#define __NR_setregid 204
+#define __NR_getgroups 205
+#define __NR_setgroups 206
+#define __NR_fchown 207
+#define __NR_setresuid 208
+#define __NR_getresuid 209
+#define __NR_setresgid 210
+#define __NR_getresgid 211
+#define __NR_chown 212
+#define __NR_setuid 213
+#define __NR_setgid 214
+#define __NR_setfsuid 215
+#define __NR_setfsgid 216
+#define __NR_getdents64 217
+#define __NR_pivot_root 218
+#define __NR_mincore 219
+#define __NR_madvise 220
+#define __NR_fcntl64 221
+/* 222 was tux */
+/* 223 reserved */
+#define __NR_gettid 224
+#define __NR_readahead 225
+#define __NR_setxattr 226
+#define __NR_lsetxattr 227
+#define __NR_fsetxattr 228
+#define __NR_getxattr 229
+#define __NR_lgetxattr 230
+#define __NR_fgetxattr 231
+#define __NR_listxattr 232
+#define __NR_llistxattr 233
+#define __NR_flistxattr 234
+#define __NR_removexattr 235
+#define __NR_lremovexattr 236
+#define __NR_fremovexattr 237
+#define __NR_tkill 238
+#define __NR_sendfile64 239
+#define __NR_futex 240
+#define __NR_sched_setaffinity 241
+#define __NR_sched_getaffinity 242
+#define __NR_io_setup 243
+#define __NR_io_destroy 244
+#define __NR_io_getevents 245
+#define __NR_io_submit 246
+#define __NR_io_cancel 247
+#define __NR_exit_group 248
+#define __NR_lookup_dcookie 249
+#define __NR_epoll_create 250
+#define __NR_epoll_ctl 251
+#define __NR_epoll_wait 252
+#define __NR_remap_file_pages 253
+/* 254 was set_thread_area */
+/* 255 was get_thread_area */
+#define __NR_set_tid_address 256
+#define __NR_timer_create 257
+#define __NR_timer_settime 258
+#define __NR_timer_gettime 259
+#define __NR_timer_getoverrun 260
+#define __NR_timer_delete 261
+#define __NR_clock_settime 262
+#define __NR_clock_gettime 263
+#define __NR_clock_getres 264
+#define __NR_clock_nanosleep 265
+#define __NR_statfs64 266
+#define __NR_fstatfs64 267
+#define __NR_tgkill 268
+#define __NR_utimes 269
+#define __NR_fadvise64_64 270
+#define __NR_pciconfig_iobase 271
+#define __NR_pciconfig_read 272
+#define __NR_pciconfig_write 273
+#define __NR_mq_open 274
+#define __NR_mq_unlink 275
+#define __NR_mq_timedsend 276
+#define __NR_mq_timedreceive 277
+#define __NR_mq_notify 278
+#define __NR_mq_getsetattr 279
+#define __NR_waitid 280
+#define __NR_socket 281
+#define __NR_bind 282
+#define __NR_connect 283
+#define __NR_listen 284
+#define __NR_accept 285
+#define __NR_getsockname 286
+#define __NR_getpeername 287
+#define __NR_socketpair 288
+#define __NR_send 289
+#define __NR_sendto 290
+#define __NR_recv 291
+#define __NR_recvfrom 292
+#define __NR_shutdown 293
+#define __NR_setsockopt 294
+#define __NR_getsockopt 295
+#define __NR_sendmsg 296
+#define __NR_recvmsg 297
+#define __NR_semop 298
+#define __NR_semget 299
+#define __NR_semctl 300
+#define __NR_msgsnd 301
+#define __NR_msgrcv 302
+#define __NR_msgget 303
+#define __NR_msgctl 304
+#define __NR_shmat 305
+#define __NR_shmdt 306
+#define __NR_shmget 307
+#define __NR_shmctl 308
+#define __NR_add_key 309
+#define __NR_request_key 310
+#define __NR_keyctl 311
+#define __NR_semtimedop 312
+/* #define __NR_ni_syscall 313 :vserver */
+#define __NR_ioprio_set 314
+#define __NR_ioprio_get 315
+#define __NR_inotify_init 316
+#define __NR_inotify_add_watch 317
+#define __NR_inotify_rm_watch 318
+#define __NR_mbind 319
+#define __NR_get_mempolicy 320
+#define __NR_set_mempolicy 321
+#define __NR_openat 322
+#define __NR_mkdirat 323
+#define __NR_mknodat 324
+#define __NR_fchownat 325
+#define __NR_futimesat 326
+#define __NR_fstatat64 327
+#define __NR_unlinkat 328
+#define __NR_renameat 329
+#define __NR_linkat 330
+#define __NR_symlinkat 331
+#define __NR_readlinkat 332
+#define __NR_fchmodat 333
+#define __NR_faccessat 334
+#define __NR_pselect6 335
+#define __NR_ppoll 336
+#define __NR_unshare 337
+#define __NR_set_robust_list 338
+#define __NR_get_robust_list 339
+#define __NR_splice 340
+#define __NR_sync_file_range2 341
+#define __NR_tee 342
+#define __NR_vmsplice 343
+#define __NR_move_pages 344
+#define __NR_getcpu 345
+#define __NR_epoll_pwait 346
+#define __NR_kexec_load 347
+#define __NR_utimensat 348
+#define __NR_signalfd 349
+#define __NR_timerfd_create 350
+#define __NR_eventfd 351
+#define __NR_fallocate 352
+#define __NR_timerfd_settime 353
+#define __NR_timerfd_gettime 354
+#define __NR_signalfd4 355
+#define __NR_eventfd2 356
+#define __NR_epoll_create1 357
+#define __NR_dup3 358
+#define __NR_pipe2 359
+#define __NR_inotify_init1 360
+#define __NR_preadv 361
+#define __NR_pwritev 362
+#define __NR_rt_tgsigqueueinfo 363
+#define __NR_perf_event_open 364
+#define __NR_recvmmsg 365
+#define __NR_accept4 366
+#define __NR_fanotify_init 367
+#define __NR_fanotify_mark 368
+#define __NR_prlimit64 369
+#define __NR_name_to_handle_at 370
+#define __NR_open_by_handle_at 371
+#define __NR_clock_adjtime 372
+#define __NR_syncfs 373
+#define __NR_sendmmsg 374
+#define __NR_setns 375
+#define __NR_process_vm_readv 376
+#define __NR_process_vm_writev 377
+/* 378 was kcmp */
+/* 389 was finit_module */
+#endif
+
 __SYSCALL(0,   sys_restart_syscall)
 __SYSCALL(1,   sys_exit)
 __SYSCALL(2,   sys_fork)
diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index 3abab29..0286b91 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -12,6 +12,9 @@ arm64-obj-y		:= cputable.o debug-monitors.o entry.o irq.o fpsimd.o	\
 			   hyp-stub.o psci.o
 
 arm64-obj-$(CONFIG_AUDIT)		+= audit.o
+ifeq ($(CONFIG_COMPAT),y)
+arm64-obj-$(CONFIG_AUDIT)		+= audit32.o
+endif
 arm64-obj-$(CONFIG_COMPAT)		+= sys32.o kuser32.o signal32.o 	\
 					   sys_compat.o
 arm64-obj-$(CONFIG_MODULES)		+= arm64ksyms.o module.o
diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c
index 9aab2b3..799eb55 100644
--- a/arch/arm64/kernel/audit.c
+++ b/arch/arm64/kernel/audit.c
@@ -1,5 +1,8 @@
 #include <linux/audit.h>
 #include <linux/init.h>
+#ifdef CONFIG_COMPAT
+#include <asm/audit32.h>
+#endif
 #include <asm/unistd.h>
 
 static unsigned dir_class[] = {
@@ -29,12 +32,20 @@ static unsigned signal_class[] = {
 
 int audit_classify_arch(int arch)
 {
+#ifdef CONFIG_COMPAT
+	if (arch == AUDIT_ARCH_ARM || arch == AUDIT_ARCH_ARMEB)
+		return 1; /* 32-bit on biarch */
+#endif
 	return 0; /* native */
 }
 
 /* AUTH_PERM support */
 int audit_classify_syscall(int abi, unsigned syscall)
 {
+#ifdef CONFIG_COMPAT
+	if (abi == AUDIT_ARCH_ARM || abi == AUDIT_ARCH_ARMEB)
+		return aarch32_classify_syscall(syscall);
+#endif
 	switch(syscall) {
 	case __NR_openat:
 		return 3;
@@ -47,6 +58,13 @@ int audit_classify_syscall(int abi, unsigned syscall)
 
 static int __init audit_classes_init(void)
 {
+#ifdef CONFIG_COMPAT
+	audit_register_class(AUDIT_CLASS_DIR_WRITE_32, aarch32_dir_class);
+	audit_register_class(AUDIT_CLASS_READ_32, aarch32_read_class);
+	audit_register_class(AUDIT_CLASS_WRITE_32, aarch32_write_class);
+	audit_register_class(AUDIT_CLASS_CHATTR_32, aarch32_chattr_class);
+	audit_register_class(AUDIT_CLASS_SIGNAL_32, aarch32_signal_class);
+#endif
 	audit_register_class(AUDIT_CLASS_DIR_WRITE, dir_class);
 	audit_register_class(AUDIT_CLASS_READ, read_class);
 	audit_register_class(AUDIT_CLASS_WRITE, write_class);
diff --git a/arch/arm64/kernel/audit32.c b/arch/arm64/kernel/audit32.c
new file mode 100644
index 0000000..2aa4d7d
--- /dev/null
+++ b/arch/arm64/kernel/audit32.c
@@ -0,0 +1,46 @@
+#define __AARCH32_AUDITSYSCALL
+#include <asm/unistd32.h>
+
+unsigned aarch32_dir_class[] = {
+#include <asm-generic/audit_dir_write.h>
+~0U
+};
+
+unsigned aarch32_read_class[] = {
+#include <asm-generic/audit_read.h>
+~0U
+};
+
+unsigned aarch32_write_class[] = {
+#include <asm-generic/audit_write.h>
+~0U
+};
+
+unsigned aarch32_chattr_class[] = {
+#include <asm-generic/audit_change_attr.h>
+~0U
+};
+
+unsigned aarch32_signal_class[] = {
+#include <asm-generic/audit_signal.h>
+~0U
+};
+
+int aarch32_classify_syscall(unsigned syscall)
+{
+	switch(syscall) {
+	case __NR_open:
+		return 2;
+	case __NR_openat:
+		return 3;
+	/*
+	 * obsolute in EABI
+	 * case __NR_socketcall:
+	 *	return 4;
+	 */
+	case __NR_execve:
+		return 5;
+	default:
+		return 1; /* 32-bit on biarch */
+	}
+}
-- 
1.7.9.5

[PATCH 4/4] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

---
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   12 ++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 23a3c47..782097a 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -107,6 +107,7 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 3881fd1..5bf1bdf 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -646,6 +646,9 @@ el0_svc_naked:					// compat entry point
 	get_thread_info tsk
 	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
 	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+#ifdef CONFIG_AUDITSYSCALL
+	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
+#endif
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index fecdbf7..7cdfa76 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1066,6 +1068,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+#ifdef CONFIG_AUDITSYSCALL
+	if (dir)
+		audit_syscall_exit(regs);
+	else
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			regs->syscallno,
+			regs->regs[0], regs->regs[1],
+			regs->regs[2], regs->regs[3]);
+#endif /* CONFIG_AUDITSYSCALL */
+
 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
 		return regs->syscallno;
 
-- 
1.7.9.5

[PATCH 4/4] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

---
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   12 ++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 23a3c47..782097a 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -107,6 +107,7 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 3881fd1..5bf1bdf 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -646,6 +646,9 @@ el0_svc_naked:					// compat entry point
 	get_thread_info tsk
 	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
 	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+#ifdef CONFIG_AUDITSYSCALL
+	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
+#endif
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index fecdbf7..7cdfa76 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1066,6 +1068,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+#ifdef CONFIG_AUDITSYSCALL
+	if (dir)
+		audit_syscall_exit(regs);
+	else
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			regs->syscallno,
+			regs->regs[0], regs->regs[1],
+			regs->regs[2], regs->regs[3]);
+#endif /* CONFIG_AUDITSYSCALL */
+
 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
 		return regs->syscallno;
 
-- 
1.7.9.5

Re: [PATCH 0/4] arm64: Add audit support

[Will Deacon]

On Wed, Nov 06, 2013 at 10:25:42AM +0000, AKASHI Takahiro wrote:
> This patchset adds audit support on arm64.
> The implementation is just like in other architectures,
> and so I think little explanation is needed.

That doesn't mean you can just omit the commit messages!

> I'd like to discuss about the following issues:
> (issues)
> * AUDIT_ARCH_*
>   Why do we need to distiguish big-endian and little-endian? [2/4]

We don't. This is only the case if the syscall ABIs differ between them (for
AArch32, people mistakenly thought __ARMEB__ was related to AEABI.

> * Userspace audit package
>   There are some missing syscall definitions in lib/aarch64_table.h.
>   There is no support for AUDIT_ARCH_ARM (I mean LE. armeb is BE).

I did post something over a year ago... did it not get picked up?

  http://permalink.gmane.org/gmane.linux.ports.arm.kernel/165266

Will

[PATCH 0/4] arm64: Add audit support

[Will Deacon]

On Wed, Nov 06, 2013 at 10:25:42AM +0000, AKASHI Takahiro wrote:
> This patchset adds audit support on arm64.
> The implementation is just like in other architectures,
> and so I think little explanation is needed.

That doesn't mean you can just omit the commit messages!

> I'd like to discuss about the following issues:
> (issues)
> * AUDIT_ARCH_*
>   Why do we need to distiguish big-endian and little-endian? [2/4]

We don't. This is only the case if the syscall ABIs differ between them (for
AArch32, people mistakenly thought __ARMEB__ was related to AEABI.

> * Userspace audit package
>   There are some missing syscall definitions in lib/aarch64_table.h.
>   There is no support for AUDIT_ARCH_ARM (I mean LE. armeb is BE).

I did post something over a year ago... did it not get picked up?

  http://permalink.gmane.org/gmane.linux.ports.arm.kernel/165266

Will

Re: [PATCH 2/4] arm64: Add audit support

[Will Deacon]

On Wed, Nov 06, 2013 at 10:25:44AM +0000, AKASHI Takahiro wrote:
> diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c
> new file mode 100644
> index 0000000..9aab2b3
> --- /dev/null
> +++ b/arch/arm64/kernel/audit.c
> @@ -0,0 +1,59 @@
> +#include <linux/audit.h>
> +#include <linux/init.h>
> +#include <asm/unistd.h>
> +
> +static unsigned dir_class[] = {
> +#include <asm-generic/audit_dir_write.h>
> +~0U
> +};
> +
> +static unsigned read_class[] = {
> +#include <asm-generic/audit_read.h>
> +~0U
> +};
> +
> +static unsigned write_class[] = {
> +#include <asm-generic/audit_write.h>
> +~0U
> +};
> +
> +static unsigned chattr_class[] = {
> +#include <asm-generic/audit_change_attr.h>
> +~0U
> +};
> +
> +static unsigned signal_class[] = {
> +#include <asm-generic/audit_signal.h>
> +~0U
> +};

This looks like a copy of lib/audit.c to me. Why can't we use that instead?

Will

[PATCH 2/4] arm64: Add audit support

[Will Deacon]

On Wed, Nov 06, 2013 at 10:25:44AM +0000, AKASHI Takahiro wrote:
> diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c
> new file mode 100644
> index 0000000..9aab2b3
> --- /dev/null
> +++ b/arch/arm64/kernel/audit.c
> @@ -0,0 +1,59 @@
> +#include <linux/audit.h>
> +#include <linux/init.h>
> +#include <asm/unistd.h>
> +
> +static unsigned dir_class[] = {
> +#include <asm-generic/audit_dir_write.h>
> +~0U
> +};
> +
> +static unsigned read_class[] = {
> +#include <asm-generic/audit_read.h>
> +~0U
> +};
> +
> +static unsigned write_class[] = {
> +#include <asm-generic/audit_write.h>
> +~0U
> +};
> +
> +static unsigned chattr_class[] = {
> +#include <asm-generic/audit_change_attr.h>
> +~0U
> +};
> +
> +static unsigned signal_class[] = {
> +#include <asm-generic/audit_signal.h>
> +~0U
> +};

This looks like a copy of lib/audit.c to me. Why can't we use that instead?

Will

Re: [PATCH 3/4] arm64: audit: Add AArch32 support

[Will Deacon]

On Wed, Nov 06, 2013 at 10:25:45AM +0000, AKASHI Takahiro wrote:
> ---
>  arch/arm64/include/asm/audit32.h  |   12 ++
>  arch/arm64/include/asm/unistd32.h |  387 +++++++++++++++++++++++++++++++++++++
>  arch/arm64/kernel/Makefile        |    3 +
>  arch/arm64/kernel/audit.c         |   18 ++
>  arch/arm64/kernel/audit32.c       |   46 +++++
>  5 files changed, 466 insertions(+)
>  create mode 100644 arch/arm64/include/asm/audit32.h
>  create mode 100644 arch/arm64/kernel/audit32.c
> 
> diff --git a/arch/arm64/include/asm/audit32.h b/arch/arm64/include/asm/audit32.h
> new file mode 100644
> index 0000000..debfe57
> --- /dev/null
> +++ b/arch/arm64/include/asm/audit32.h
> @@ -0,0 +1,12 @@
> +#ifndef __ASM_AUDIT32_H
> +#define __ASM_AUDIT32_H
> +
> +extern unsigned aarch32_dir_class[];
> +extern unsigned aarch32_read_class[];
> +extern unsigned aarch32_write_class[];
> +extern unsigned aarch32_chattr_class[];
> +extern unsigned aarch32_signal_class[];
> +
> +extern int aarch32_classify_syscall(unsigned);
> +
> +#endif /* __ASM_AUDIT32_H */
> diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h
> index 58125bf..fdf5e56 100644
> --- a/arch/arm64/include/asm/unistd32.h
> +++ b/arch/arm64/include/asm/unistd32.h
> @@ -21,6 +21,393 @@
>  #define __SYSCALL(x, y)
>  #endif
> 
> +#ifdef __AARCH32_AUDITSYSCALL
> +/*
> + * FIXME: Currenty only audit uses (part of) these definitions.
> + * See audit32.c
> + */
> +#define __NR_restart_syscall 0
> +#define __NR_exit 1
> +#define __NR_fork 2
> +#define __NR_read 3

Don't bother with this file. It's a needless replication of data already in
the file and you don't even need it all.

> diff --git a/arch/arm64/kernel/audit32.c b/arch/arm64/kernel/audit32.c
> new file mode 100644
> index 0000000..2aa4d7d
> --- /dev/null
> +++ b/arch/arm64/kernel/audit32.c
> @@ -0,0 +1,46 @@
> +#define __AARCH32_AUDITSYSCALL
> +#include <asm/unistd32.h>
> +
> +unsigned aarch32_dir_class[] = {
> +#include <asm-generic/audit_dir_write.h>
> +~0U
> +};
> +
> +unsigned aarch32_read_class[] = {
> +#include <asm-generic/audit_read.h>
> +~0U
> +};
> +
> +unsigned aarch32_write_class[] = {
> +#include <asm-generic/audit_write.h>
> +~0U
> +};
> +
> +unsigned aarch32_chattr_class[] = {
> +#include <asm-generic/audit_change_attr.h>
> +~0U
> +};
> +
> +unsigned aarch32_signal_class[] = {
> +#include <asm-generic/audit_signal.h>
> +~0U
> +};
> +
> +int aarch32_classify_syscall(unsigned syscall)
> +{
> +       switch(syscall) {
> +       case __NR_open:
> +               return 2;
> +       case __NR_openat:
> +               return 3;
> +       /*
> +        * obsolute in EABI
> +        * case __NR_socketcall:
> +        *      return 4;
> +        */
> +       case __NR_execve:
> +               return 5;
> +       default:
> +               return 1; /* 32-bit on biarch */
> +       }

Instead, just add __NR_compat_{open,openat,execve}, like we have done for
the signal-related syscalls.

Also, can't the generic lib/audit.c be reworked to work with compat too?

Will

[PATCH 3/4] arm64: audit: Add AArch32 support

[Will Deacon]

On Wed, Nov 06, 2013 at 10:25:45AM +0000, AKASHI Takahiro wrote:
> ---
>  arch/arm64/include/asm/audit32.h  |   12 ++
>  arch/arm64/include/asm/unistd32.h |  387 +++++++++++++++++++++++++++++++++++++
>  arch/arm64/kernel/Makefile        |    3 +
>  arch/arm64/kernel/audit.c         |   18 ++
>  arch/arm64/kernel/audit32.c       |   46 +++++
>  5 files changed, 466 insertions(+)
>  create mode 100644 arch/arm64/include/asm/audit32.h
>  create mode 100644 arch/arm64/kernel/audit32.c
> 
> diff --git a/arch/arm64/include/asm/audit32.h b/arch/arm64/include/asm/audit32.h
> new file mode 100644
> index 0000000..debfe57
> --- /dev/null
> +++ b/arch/arm64/include/asm/audit32.h
> @@ -0,0 +1,12 @@
> +#ifndef __ASM_AUDIT32_H
> +#define __ASM_AUDIT32_H
> +
> +extern unsigned aarch32_dir_class[];
> +extern unsigned aarch32_read_class[];
> +extern unsigned aarch32_write_class[];
> +extern unsigned aarch32_chattr_class[];
> +extern unsigned aarch32_signal_class[];
> +
> +extern int aarch32_classify_syscall(unsigned);
> +
> +#endif /* __ASM_AUDIT32_H */
> diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h
> index 58125bf..fdf5e56 100644
> --- a/arch/arm64/include/asm/unistd32.h
> +++ b/arch/arm64/include/asm/unistd32.h
> @@ -21,6 +21,393 @@
>  #define __SYSCALL(x, y)
>  #endif
> 
> +#ifdef __AARCH32_AUDITSYSCALL
> +/*
> + * FIXME: Currenty only audit uses (part of) these definitions.
> + * See audit32.c
> + */
> +#define __NR_restart_syscall 0
> +#define __NR_exit 1
> +#define __NR_fork 2
> +#define __NR_read 3

Don't bother with this file. It's a needless replication of data already in
the file and you don't even need it all.

> diff --git a/arch/arm64/kernel/audit32.c b/arch/arm64/kernel/audit32.c
> new file mode 100644
> index 0000000..2aa4d7d
> --- /dev/null
> +++ b/arch/arm64/kernel/audit32.c
> @@ -0,0 +1,46 @@
> +#define __AARCH32_AUDITSYSCALL
> +#include <asm/unistd32.h>
> +
> +unsigned aarch32_dir_class[] = {
> +#include <asm-generic/audit_dir_write.h>
> +~0U
> +};
> +
> +unsigned aarch32_read_class[] = {
> +#include <asm-generic/audit_read.h>
> +~0U
> +};
> +
> +unsigned aarch32_write_class[] = {
> +#include <asm-generic/audit_write.h>
> +~0U
> +};
> +
> +unsigned aarch32_chattr_class[] = {
> +#include <asm-generic/audit_change_attr.h>
> +~0U
> +};
> +
> +unsigned aarch32_signal_class[] = {
> +#include <asm-generic/audit_signal.h>
> +~0U
> +};
> +
> +int aarch32_classify_syscall(unsigned syscall)
> +{
> +       switch(syscall) {
> +       case __NR_open:
> +               return 2;
> +       case __NR_openat:
> +               return 3;
> +       /*
> +        * obsolute in EABI
> +        * case __NR_socketcall:
> +        *      return 4;
> +        */
> +       case __NR_execve:
> +               return 5;
> +       default:
> +               return 1; /* 32-bit on biarch */
> +       }

Instead, just add __NR_compat_{open,openat,execve}, like we have done for
the signal-related syscalls.

Also, can't the generic lib/audit.c be reworked to work with compat too?

Will

Re: [PATCH 0/4] arm64: Add audit support

[AKASHI Takahiro]

On 11/08/2013 11:34 PM, Will Deacon wrote:
> On Wed, Nov 06, 2013 at 10:25:42AM +0000, AKASHI Takahiro wrote:
>> This patchset adds audit support on arm64.
>> The implementation is just like in other architectures,
>> and so I think little explanation is needed.
>
> That doesn't mean you can just omit the commit messages!

I will include some commit messages in the next version.

>> I'd like to discuss about the following issues:
>> (issues)
>> * AUDIT_ARCH_*
>>    Why do we need to distiguish big-endian and little-endian? [2/4]
>
> We don't. This is only the case if the syscall ABIs differ between them (for
> AArch32, people mistakenly thought __ARMEB__ was related to AEABI.

I guessed so, but ...

>> * Userspace audit package
>>    There are some missing syscall definitions in lib/aarch64_table.h.
>>    There is no support for AUDIT_ARCH_ARM (I mean LE. armeb is BE).
>
> I did post something over a year ago... did it not get picked up?
>
>    http://permalink.gmane.org/gmane.linux.ports.arm.kernel/165266

Sounds great, but the reality is that AUDIT_ARCH_ARMEB is still used
in the latest v2.3.2, and due to this, ausearch cannot pretty-print
the architecture name in the audit log for LE.

I will ask this in linux-audit ML.

-Takahiro AKASHI

> Will
>

[PATCH 0/4] arm64: Add audit support

[AKASHI Takahiro]

On 11/08/2013 11:34 PM, Will Deacon wrote:
> On Wed, Nov 06, 2013 at 10:25:42AM +0000, AKASHI Takahiro wrote:
>> This patchset adds audit support on arm64.
>> The implementation is just like in other architectures,
>> and so I think little explanation is needed.
>
> That doesn't mean you can just omit the commit messages!

I will include some commit messages in the next version.

>> I'd like to discuss about the following issues:
>> (issues)
>> * AUDIT_ARCH_*
>>    Why do we need to distiguish big-endian and little-endian? [2/4]
>
> We don't. This is only the case if the syscall ABIs differ between them (for
> AArch32, people mistakenly thought __ARMEB__ was related to AEABI.

I guessed so, but ...

>> * Userspace audit package
>>    There are some missing syscall definitions in lib/aarch64_table.h.
>>    There is no support for AUDIT_ARCH_ARM (I mean LE. armeb is BE).
>
> I did post something over a year ago... did it not get picked up?
>
>    http://permalink.gmane.org/gmane.linux.ports.arm.kernel/165266

Sounds great, but the reality is that AUDIT_ARCH_ARMEB is still used
in the latest v2.3.2, and due to this, ausearch cannot pretty-print
the architecture name in the audit log for LE.

I will ask this in linux-audit ML.

-Takahiro AKASHI

> Will
>

Re: [PATCH 2/4] arm64: Add audit support

[AKASHI Takahiro]

On 11/08/2013 11:43 PM, Will Deacon wrote:
> On Wed, Nov 06, 2013 at 10:25:44AM +0000, AKASHI Takahiro wrote:
>> diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c
>> new file mode 100644
>> index 0000000..9aab2b3
>> --- /dev/null
>> +++ b/arch/arm64/kernel/audit.c
>> @@ -0,0 +1,59 @@
>> +#include <linux/audit.h>
>> +#include <linux/init.h>
>> +#include <asm/unistd.h>
>> +
>> +static unsigned dir_class[] = {
>> +#include <asm-generic/audit_dir_write.h>
>> +~0U
>> +};
>> +
>> +static unsigned read_class[] = {
>> +#include <asm-generic/audit_read.h>
>> +~0U
>> +};
>> +
>> +static unsigned write_class[] = {
>> +#include <asm-generic/audit_write.h>
>> +~0U
>> +};
>> +
>> +static unsigned chattr_class[] = {
>> +#include <asm-generic/audit_change_attr.h>
>> +~0U
>> +};
>> +
>> +static unsigned signal_class[] = {
>> +#include <asm-generic/audit_signal.h>
>> +~0U
>> +};
>
> This looks like a copy of lib/audit.c to me. Why can't we use that instead?

As you might notice, we need to have copies both for aarch64 and arch32
(compat system calls).

-Takahiro AKASHI

> Will
>

[PATCH 2/4] arm64: Add audit support

[AKASHI Takahiro]

On 11/08/2013 11:43 PM, Will Deacon wrote:
> On Wed, Nov 06, 2013 at 10:25:44AM +0000, AKASHI Takahiro wrote:
>> diff --git a/arch/arm64/kernel/audit.c b/arch/arm64/kernel/audit.c
>> new file mode 100644
>> index 0000000..9aab2b3
>> --- /dev/null
>> +++ b/arch/arm64/kernel/audit.c
>> @@ -0,0 +1,59 @@
>> +#include <linux/audit.h>
>> +#include <linux/init.h>
>> +#include <asm/unistd.h>
>> +
>> +static unsigned dir_class[] = {
>> +#include <asm-generic/audit_dir_write.h>
>> +~0U
>> +};
>> +
>> +static unsigned read_class[] = {
>> +#include <asm-generic/audit_read.h>
>> +~0U
>> +};
>> +
>> +static unsigned write_class[] = {
>> +#include <asm-generic/audit_write.h>
>> +~0U
>> +};
>> +
>> +static unsigned chattr_class[] = {
>> +#include <asm-generic/audit_change_attr.h>
>> +~0U
>> +};
>> +
>> +static unsigned signal_class[] = {
>> +#include <asm-generic/audit_signal.h>
>> +~0U
>> +};
>
> This looks like a copy of lib/audit.c to me. Why can't we use that instead?

As you might notice, we need to have copies both for aarch64 and arch32
(compat system calls).

-Takahiro AKASHI

> Will
>

Re: [PATCH 3/4] arm64: audit: Add AArch32 support

[AKASHI Takahiro]

On 11/08/2013 11:55 PM, Will Deacon wrote:
> On Wed, Nov 06, 2013 at 10:25:45AM +0000, AKASHI Takahiro wrote:
>> ---
>>   arch/arm64/include/asm/audit32.h  |   12 ++
>>   arch/arm64/include/asm/unistd32.h |  387 +++++++++++++++++++++++++++++++++++++
>>   arch/arm64/kernel/Makefile        |    3 +
>>   arch/arm64/kernel/audit.c         |   18 ++
>>   arch/arm64/kernel/audit32.c       |   46 +++++
>>   5 files changed, 466 insertions(+)
>>   create mode 100644 arch/arm64/include/asm/audit32.h
>>   create mode 100644 arch/arm64/kernel/audit32.c
>>
>> diff --git a/arch/arm64/include/asm/audit32.h b/arch/arm64/include/asm/audit32.h
>> new file mode 100644
>> index 0000000..debfe57
>> --- /dev/null
>> +++ b/arch/arm64/include/asm/audit32.h
>> @@ -0,0 +1,12 @@
>> +#ifndef __ASM_AUDIT32_H
>> +#define __ASM_AUDIT32_H
>> +
>> +extern unsigned aarch32_dir_class[];
>> +extern unsigned aarch32_read_class[];
>> +extern unsigned aarch32_write_class[];
>> +extern unsigned aarch32_chattr_class[];
>> +extern unsigned aarch32_signal_class[];
>> +
>> +extern int aarch32_classify_syscall(unsigned);
>> +
>> +#endif /* __ASM_AUDIT32_H */
>> diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h
>> index 58125bf..fdf5e56 100644
>> --- a/arch/arm64/include/asm/unistd32.h
>> +++ b/arch/arm64/include/asm/unistd32.h
>> @@ -21,6 +21,393 @@
>>   #define __SYSCALL(x, y)
>>   #endif
>>
>> +#ifdef __AARCH32_AUDITSYSCALL
>> +/*
>> + * FIXME: Currenty only audit uses (part of) these definitions.
>> + * See audit32.c
>> + */
>> +#define __NR_restart_syscall 0
>> +#define __NR_exit 1
>> +#define __NR_fork 2
>> +#define __NR_read 3
>
> Don't bother with this file. It's a needless replication of data already in
> the file and you don't even need it all.

Unfortunately, I need them not only for aarch32_classify_syscall(), but 
also in asm-generic/audit_*.h. Actually 47 of __NR_xxx are referred to 
in those files.
The problem is that aarch64 and aarch32 have different system call
numbers, but that there are no __NR_xxx definitions for aarch32 in
asm/unistd32.h.

>> diff --git a/arch/arm64/kernel/audit32.c b/arch/arm64/kernel/audit32.c
>> new file mode 100644
>> index 0000000..2aa4d7d
>> --- /dev/null
>> +++ b/arch/arm64/kernel/audit32.c
>> @@ -0,0 +1,46 @@
>> +#define __AARCH32_AUDITSYSCALL
>> +#include <asm/unistd32.h>
>> +
>> +unsigned aarch32_dir_class[] = {
>> +#include <asm-generic/audit_dir_write.h>
>> +~0U
>> +};
>> +
>> +unsigned aarch32_read_class[] = {
>> +#include <asm-generic/audit_read.h>
>> +~0U
>> +};
>> +
>> +unsigned aarch32_write_class[] = {
>> +#include <asm-generic/audit_write.h>
>> +~0U
>> +};
>> +
>> +unsigned aarch32_chattr_class[] = {
>> +#include <asm-generic/audit_change_attr.h>
>> +~0U
>> +};
>> +
>> +unsigned aarch32_signal_class[] = {
>> +#include <asm-generic/audit_signal.h>
>> +~0U
>> +};
>> +
>> +int aarch32_classify_syscall(unsigned syscall)
>> +{
>> +       switch(syscall) {
>> +       case __NR_open:
>> +               return 2;
>> +       case __NR_openat:
>> +               return 3;
>> +       /*
>> +        * obsolute in EABI
>> +        * case __NR_socketcall:
>> +        *      return 4;
>> +        */
>> +       case __NR_execve:
>> +               return 5;
>> +       default:
>> +               return 1; /* 32-bit on biarch */
>> +       }
>
> Instead, just add __NR_compat_{open,openat,execve}, like we have done for
> the signal-related syscalls.

As far as xxx_classify_syscall is concerned, it is possible to change
the code to use __NR_compat_..., but it is difficult to remove __NR_...
from unistd32.h because, as I mentioned above, asm-generic/audit_xxx.h
use __NR_...

> Also, can't the generic lib/audit.c be reworked to work with compat too?

I hope so, but don't think re-work is practical unless we have
generic solution against this issue.
(In addition, other architectures already have their own
implementation.)

-Takahiro AKASHI

> Will
>

[PATCH 3/4] arm64: audit: Add AArch32 support

[AKASHI Takahiro]

On 11/08/2013 11:55 PM, Will Deacon wrote:
> On Wed, Nov 06, 2013 at 10:25:45AM +0000, AKASHI Takahiro wrote:
>> ---
>>   arch/arm64/include/asm/audit32.h  |   12 ++
>>   arch/arm64/include/asm/unistd32.h |  387 +++++++++++++++++++++++++++++++++++++
>>   arch/arm64/kernel/Makefile        |    3 +
>>   arch/arm64/kernel/audit.c         |   18 ++
>>   arch/arm64/kernel/audit32.c       |   46 +++++
>>   5 files changed, 466 insertions(+)
>>   create mode 100644 arch/arm64/include/asm/audit32.h
>>   create mode 100644 arch/arm64/kernel/audit32.c
>>
>> diff --git a/arch/arm64/include/asm/audit32.h b/arch/arm64/include/asm/audit32.h
>> new file mode 100644
>> index 0000000..debfe57
>> --- /dev/null
>> +++ b/arch/arm64/include/asm/audit32.h
>> @@ -0,0 +1,12 @@
>> +#ifndef __ASM_AUDIT32_H
>> +#define __ASM_AUDIT32_H
>> +
>> +extern unsigned aarch32_dir_class[];
>> +extern unsigned aarch32_read_class[];
>> +extern unsigned aarch32_write_class[];
>> +extern unsigned aarch32_chattr_class[];
>> +extern unsigned aarch32_signal_class[];
>> +
>> +extern int aarch32_classify_syscall(unsigned);
>> +
>> +#endif /* __ASM_AUDIT32_H */
>> diff --git a/arch/arm64/include/asm/unistd32.h b/arch/arm64/include/asm/unistd32.h
>> index 58125bf..fdf5e56 100644
>> --- a/arch/arm64/include/asm/unistd32.h
>> +++ b/arch/arm64/include/asm/unistd32.h
>> @@ -21,6 +21,393 @@
>>   #define __SYSCALL(x, y)
>>   #endif
>>
>> +#ifdef __AARCH32_AUDITSYSCALL
>> +/*
>> + * FIXME: Currenty only audit uses (part of) these definitions.
>> + * See audit32.c
>> + */
>> +#define __NR_restart_syscall 0
>> +#define __NR_exit 1
>> +#define __NR_fork 2
>> +#define __NR_read 3
>
> Don't bother with this file. It's a needless replication of data already in
> the file and you don't even need it all.

Unfortunately, I need them not only for aarch32_classify_syscall(), but 
also in asm-generic/audit_*.h. Actually 47 of __NR_xxx are referred to 
in those files.
The problem is that aarch64 and aarch32 have different system call
numbers, but that there are no __NR_xxx definitions for aarch32 in
asm/unistd32.h.

>> diff --git a/arch/arm64/kernel/audit32.c b/arch/arm64/kernel/audit32.c
>> new file mode 100644
>> index 0000000..2aa4d7d
>> --- /dev/null
>> +++ b/arch/arm64/kernel/audit32.c
>> @@ -0,0 +1,46 @@
>> +#define __AARCH32_AUDITSYSCALL
>> +#include <asm/unistd32.h>
>> +
>> +unsigned aarch32_dir_class[] = {
>> +#include <asm-generic/audit_dir_write.h>
>> +~0U
>> +};
>> +
>> +unsigned aarch32_read_class[] = {
>> +#include <asm-generic/audit_read.h>
>> +~0U
>> +};
>> +
>> +unsigned aarch32_write_class[] = {
>> +#include <asm-generic/audit_write.h>
>> +~0U
>> +};
>> +
>> +unsigned aarch32_chattr_class[] = {
>> +#include <asm-generic/audit_change_attr.h>
>> +~0U
>> +};
>> +
>> +unsigned aarch32_signal_class[] = {
>> +#include <asm-generic/audit_signal.h>
>> +~0U
>> +};
>> +
>> +int aarch32_classify_syscall(unsigned syscall)
>> +{
>> +       switch(syscall) {
>> +       case __NR_open:
>> +               return 2;
>> +       case __NR_openat:
>> +               return 3;
>> +       /*
>> +        * obsolute in EABI
>> +        * case __NR_socketcall:
>> +        *      return 4;
>> +        */
>> +       case __NR_execve:
>> +               return 5;
>> +       default:
>> +               return 1; /* 32-bit on biarch */
>> +       }
>
> Instead, just add __NR_compat_{open,openat,execve}, like we have done for
> the signal-related syscalls.

As far as xxx_classify_syscall is concerned, it is possible to change
the code to use __NR_compat_..., but it is difficult to remove __NR_...
from unistd32.h because, as I mentioned above, asm-generic/audit_xxx.h
use __NR_...

> Also, can't the generic lib/audit.c be reworked to work with compat too?

I hope so, but don't think re-work is practical unless we have
generic solution against this issue.
(In addition, other architectures already have their own
implementation.)

-Takahiro AKASHI

> Will
>

[PATCH v2 0/6] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUIDT_ARCH_ARM[EB]) and 64-bit tasks (AUDIT_ARCH_AARCH64[EB])
are supported, but presuming 32-LE on 64-LE or 32-BE on 64-BE.

There are some prerequisites for this patch to work correctly:
* "generic compat system call audit support" patch
* "correct a type mismatch in audit_syscall_exit()" patch
   (already accepted and queued in 3.14)
* "Modify a set of system calls in audit class" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

All those were already or will be soon posted separately.
Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".


AKASHI Takahiro (6):
  audit: Enable arm64 support
  arm64: Add regs_return_value() in syscall.h
  arm64: Add audit support
  arm64: audit: Add 32-bit (compat) syscall support
  arm64: audit: Add makefile rule to create unistd_32.h for compat
    syscalls
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Makefile                  |    4 ++++
 arch/arm64/include/asm/audit.h       |   20 ++++++++++++++++++++
 arch/arm64/include/asm/ptrace.h      |    5 +++++
 arch/arm64/include/asm/syscall.h     |   22 ++++++++++++++++++++++
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   12 ++++++++++++
 arch/arm64/kernel/syscalls/Makefile  |   20 ++++++++++++++++++++
 include/uapi/linux/audit.h           |    2 ++
 init/Kconfig                         |    2 +-
 10 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 arch/arm64/include/asm/audit.h
 create mode 100644 arch/arm64/kernel/syscalls/Makefile

-- 
1.7.9.5

[PATCH v2 0/6] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUIDT_ARCH_ARM[EB]) and 64-bit tasks (AUDIT_ARCH_AARCH64[EB])
are supported, but presuming 32-LE on 64-LE or 32-BE on 64-BE.

There are some prerequisites for this patch to work correctly:
* "generic compat system call audit support" patch
* "correct a type mismatch in audit_syscall_exit()" patch
   (already accepted and queued in 3.14)
* "Modify a set of system calls in audit class" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

All those were already or will be soon posted separately.
Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".


AKASHI Takahiro (6):
  audit: Enable arm64 support
  arm64: Add regs_return_value() in syscall.h
  arm64: Add audit support
  arm64: audit: Add 32-bit (compat) syscall support
  arm64: audit: Add makefile rule to create unistd_32.h for compat
    syscalls
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Makefile                  |    4 ++++
 arch/arm64/include/asm/audit.h       |   20 ++++++++++++++++++++
 arch/arm64/include/asm/ptrace.h      |    5 +++++
 arch/arm64/include/asm/syscall.h     |   22 ++++++++++++++++++++++
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   12 ++++++++++++
 arch/arm64/kernel/syscalls/Makefile  |   20 ++++++++++++++++++++
 include/uapi/linux/audit.h           |    2 ++
 init/Kconfig                         |    2 +-
 10 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 arch/arm64/include/asm/audit.h
 create mode 100644 arch/arm64/kernel/syscalls/Makefile

-- 
1.7.9.5

[PATCH v2 1/6] audit: Enable arm64 support

[AKASHI Takahiro]

This patch adds AUDIT_ARCH_* identifiers for arm64(AArch64), and
makes CONFIG_AUDITSYSCALL selectable.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 include/uapi/linux/audit.h |    2 ++
 init/Kconfig               |    2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 44b05a0..e39635b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -327,6 +327,8 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
diff --git a/init/Kconfig b/init/Kconfig
index 79383d3..3aae602 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -284,7 +284,7 @@ config AUDIT
 
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH v2 1/6] audit: Enable arm64 support

[AKASHI Takahiro]

This patch adds AUDIT_ARCH_* identifiers for arm64(AArch64), and
makes CONFIG_AUDITSYSCALL selectable.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 include/uapi/linux/audit.h |    2 ++
 init/Kconfig               |    2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 44b05a0..e39635b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -327,6 +327,8 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
diff --git a/init/Kconfig b/init/Kconfig
index 79383d3..3aae602 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -284,7 +284,7 @@ config AUDIT
 
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH v2 2/6] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro is used mainly for audit to record system call's results, but
may also be used in test_kprobes.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v2 2/6] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro is used mainly for audit to record system call's results, but
may also be used in test_kprobes.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v2 3/6] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit can be enabled with CONFIG_AUDIT_GENERIC.
Most of audit features are implemented in generic way. This patch
adds a small piece of architecture dependent code.
syscall_get_arch(), which is used in seccomp, should just return
AUDIT_ARCH_*.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/syscall.h |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..3361fec 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <linux/sched.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,14 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+#ifdef __AARCH64EB__
+	return AUDIT_ARCH_AARCH64EB;
+#else
+	return AUDIT_ARCH_AARCH64;
+#endif
+}
+
 #endif	/* __ASM_SYSCALL_H */
-- 
1.7.9.5

[PATCH v2 3/6] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit can be enabled with CONFIG_AUDIT_GENERIC.
Most of audit features are implemented in generic way. This patch
adds a small piece of architecture dependent code.
syscall_get_arch(), which is used in seccomp, should just return
AUDIT_ARCH_*.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/syscall.h |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..3361fec 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <linux/sched.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,14 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+#ifdef __AARCH64EB__
+	return AUDIT_ARCH_AARCH64EB;
+#else
+	return AUDIT_ARCH_AARCH64;
+#endif
+}
+
 #endif	/* __ASM_SYSCALL_H */
-- 
1.7.9.5

[PATCH v2 4/6] arm64: audit: Add 32-bit (compat) syscall support

[AKASHI Takahiro]

Generic audit code also support compat system calls now.
This patch adds a small piece of architecture dependent code.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/audit.h   |   20 ++++++++++++++++++++
 arch/arm64/include/asm/syscall.h |   10 ++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 arch/arm64/include/asm/audit.h

diff --git a/arch/arm64/include/asm/audit.h b/arch/arm64/include/asm/audit.h
new file mode 100644
index 0000000..70eef50
--- /dev/null
+++ b/arch/arm64/include/asm/audit.h
@@ -0,0 +1,20 @@
+/*
+ * arch/arm64/include/asm/audit.h
+ *
+ * Copyright (C) 2013 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef __ASM_AUDIT_H
+#define __ASM_AUDIT_H
+
+#include <linux/audit.h>
+
+#define audit_is_compat(arch) \
+		((arch == AUDIT_ARCH_ARM) || (arch == AUDIT_ARCH_ARMEB))
+
+#endif /* __ASM_AUDIT_H */
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 3361fec..d7660e9 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -19,6 +19,7 @@
 #include <linux/audit.h>
 #include <linux/err.h>
 #include <linux/sched.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task,
 static inline int syscall_get_arch(struct task_struct *task,
 				   struct pt_regs *regs)
 {
+#ifdef CONFIG_COMPAT
+	if (is_compat_thread(task_thread_info(task)))
+#ifdef __AARCH64EB__
+		return AUDIT_ARCH_ARMEB; /* only BE on BE */
+#else
+		return AUDIT_ARCH_ARM;
+#endif
+#endif
+
 #ifdef __AARCH64EB__
 	return AUDIT_ARCH_AARCH64EB;
 #else
-- 
1.7.9.5

[PATCH v2 4/6] arm64: audit: Add 32-bit (compat) syscall support

[AKASHI Takahiro]

Generic audit code also support compat system calls now.
This patch adds a small piece of architecture dependent code.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/audit.h   |   20 ++++++++++++++++++++
 arch/arm64/include/asm/syscall.h |   10 ++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 arch/arm64/include/asm/audit.h

diff --git a/arch/arm64/include/asm/audit.h b/arch/arm64/include/asm/audit.h
new file mode 100644
index 0000000..70eef50
--- /dev/null
+++ b/arch/arm64/include/asm/audit.h
@@ -0,0 +1,20 @@
+/*
+ * arch/arm64/include/asm/audit.h
+ *
+ * Copyright (C) 2013 Linaro Limited
+ * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef __ASM_AUDIT_H
+#define __ASM_AUDIT_H
+
+#include <linux/audit.h>
+
+#define audit_is_compat(arch) \
+		((arch == AUDIT_ARCH_ARM) || (arch == AUDIT_ARCH_ARMEB))
+
+#endif /* __ASM_AUDIT_H */
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 3361fec..d7660e9 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -19,6 +19,7 @@
 #include <linux/audit.h>
 #include <linux/err.h>
 #include <linux/sched.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task,
 static inline int syscall_get_arch(struct task_struct *task,
 				   struct pt_regs *regs)
 {
+#ifdef CONFIG_COMPAT
+	if (is_compat_thread(task_thread_info(task)))
+#ifdef __AARCH64EB__
+		return AUDIT_ARCH_ARMEB; /* only BE on BE */
+#else
+		return AUDIT_ARCH_ARM;
+#endif
+#endif
+
 #ifdef __AARCH64EB__
 	return AUDIT_ARCH_AARCH64EB;
 #else
-- 
1.7.9.5

[PATCH v2 5/6] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls

[AKASHI Takahiro]

generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h
for __NR_xyx compat syscall numbers. This is a different file from unistd32.h
on arm64 and so it must be generated from unistd32.h.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Makefile                 |    4 ++++
 arch/arm64/kernel/syscalls/Makefile |   20 ++++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 arch/arm64/kernel/syscalls/Makefile

diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 2fceb71..6d24f92 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -72,6 +72,10 @@ PHONY += vdso_install
 vdso_install:
 	$(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
 
+# Compat syscall header generation
+archheaders:
+	$(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@
+
 # We use MRPROPER_FILES and CLEAN_FILES now
 archclean:
 	$(Q)$(MAKE) $(clean)=$(boot)
diff --git a/arch/arm64/kernel/syscalls/Makefile b/arch/arm64/kernel/syscalls/Makefile
new file mode 100644
index 0000000..7661113
--- /dev/null
+++ b/arch/arm64/kernel/syscalls/Makefile
@@ -0,0 +1,20 @@
+out := $(obj)/../../include/generated/asm
+
+# Create output directory if not already present
+_dummy := $(shell [ -d '$(out)' ] || mkdir -p '$(out)')
+
+syshdr-$(CONFIG_COMPAT)		+= unistd_32.h
+
+targets	+= $(syshdr-y)
+
+quiet_cmd_syshdr = SYSHDR $@
+	cmd_syshdr = cat $< | sed -r \
+	-e 's/compat_//' \
+	-e 's/_wrapper//' \
+	-e 's/^__SYSCALL\((.*),[ ]*sys_([^)].*)\).*/\#define __NR_\2 \1/p;d' \
+	| grep -v __NR_ni_syscall > $@
+
+archheaders: $(addprefix $(out)/,$(syshdr-y))
+
+$(out)/unistd_32.h: $(src)/../../include/asm/unistd32.h
+	$(call if_changed,syshdr)
-- 
1.7.9.5

[PATCH v2 5/6] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls

[AKASHI Takahiro]

generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h
for __NR_xyx compat syscall numbers. This is a different file from unistd32.h
on arm64 and so it must be generated from unistd32.h.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Makefile                 |    4 ++++
 arch/arm64/kernel/syscalls/Makefile |   20 ++++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 arch/arm64/kernel/syscalls/Makefile

diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
index 2fceb71..6d24f92 100644
--- a/arch/arm64/Makefile
+++ b/arch/arm64/Makefile
@@ -72,6 +72,10 @@ PHONY += vdso_install
 vdso_install:
 	$(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
 
+# Compat syscall header generation
+archheaders:
+	$(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@
+
 # We use MRPROPER_FILES and CLEAN_FILES now
 archclean:
 	$(Q)$(MAKE) $(clean)=$(boot)
diff --git a/arch/arm64/kernel/syscalls/Makefile b/arch/arm64/kernel/syscalls/Makefile
new file mode 100644
index 0000000..7661113
--- /dev/null
+++ b/arch/arm64/kernel/syscalls/Makefile
@@ -0,0 +1,20 @@
+out := $(obj)/../../include/generated/asm
+
+# Create output directory if not already present
+_dummy := $(shell [ -d '$(out)' ] || mkdir -p '$(out)')
+
+syshdr-$(CONFIG_COMPAT)		+= unistd_32.h
+
+targets	+= $(syshdr-y)
+
+quiet_cmd_syshdr = SYSHDR $@
+	cmd_syshdr = cat $< | sed -r \
+	-e 's/compat_//' \
+	-e 's/_wrapper//' \
+	-e 's/^__SYSCALL\((.*),[ ]*sys_([^)].*)\).*/\#define __NR_\2 \1/p;d' \
+	| grep -v __NR_ni_syscall > $@
+
+archheaders: $(addprefix $(out)/,$(syshdr-y))
+
+$(out)/unistd_32.h: $(src)/../../include/asm/unistd32.h
+	$(call if_changed,syshdr)
-- 
1.7.9.5

[PATCH v2 6/6] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   12 ++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..7468388 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 4d2c6f3..5bb2c26 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,6 +631,9 @@ el0_svc_naked:					// compat entry point
 	get_thread_info tsk
 	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
 	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+#ifdef CONFIG_AUDITSYSCALL
+	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
+#endif
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6777a21..2ca169b 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1064,6 +1066,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+#ifdef CONFIG_AUDITSYSCALL
+	if (dir)
+		audit_syscall_exit(regs);
+	else
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
+#endif /* CONFIG_AUDITSYSCALL */
+
 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
 		return regs->syscallno;
 
-- 
1.7.9.5

[PATCH v2 6/6] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   12 ++++++++++++
 3 files changed, 16 insertions(+)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..7468388 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 4d2c6f3..5bb2c26 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,6 +631,9 @@ el0_svc_naked:					// compat entry point
 	get_thread_info tsk
 	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
 	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+#ifdef CONFIG_AUDITSYSCALL
+	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
+#endif
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6777a21..2ca169b 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1064,6 +1066,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+#ifdef CONFIG_AUDITSYSCALL
+	if (dir)
+		audit_syscall_exit(regs);
+	else
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
+#endif /* CONFIG_AUDITSYSCALL */
+
 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
 		return regs->syscallno;
 
-- 
1.7.9.5

Re: [PATCH v2 4/6] arm64: audit: Add 32-bit (compat) syscall support

[Will Deacon]

Hi Akashi,

On Fri, Jan 17, 2014 at 08:13:17AM +0000, AKASHI Takahiro wrote:
> Generic audit code also support compat system calls now.
> This patch adds a small piece of architecture dependent code.

[...]

>  static inline int syscall_get_nr(struct task_struct *task,
> @@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task,
>  static inline int syscall_get_arch(struct task_struct *task,
>  				   struct pt_regs *regs)
>  {
> +#ifdef CONFIG_COMPAT
> +	if (is_compat_thread(task_thread_info(task)))

You can call is_compat_thread even when !CONFIG_COMPAT, so you don't need
that #ifdef.

> +#ifdef __AARCH64EB__
> +		return AUDIT_ARCH_ARMEB; /* only BE on BE */

Well, actually, we only support userspace to be the same endianness as the
kernel, so you that comment is slightly misleading. You could probably avoid
these repeated ifdefs by defining things like ARM64_AUDIT_ARCH and
ARM64_COMPAT_AUDIT_ARCH once depending on endianness.

Will

Re: [PATCH v2 4/6] arm64: audit: Add 32-bit (compat) syscall support

[Will Deacon]

Hi Akashi,

On Fri, Jan 17, 2014 at 08:13:17AM +0000, AKASHI Takahiro wrote:
> Generic audit code also support compat system calls now.
> This patch adds a small piece of architecture dependent code.

[...]

>  static inline int syscall_get_nr(struct task_struct *task,
> @@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task,
>  static inline int syscall_get_arch(struct task_struct *task,
>  				   struct pt_regs *regs)
>  {
> +#ifdef CONFIG_COMPAT
> +	if (is_compat_thread(task_thread_info(task)))

You can call is_compat_thread even when !CONFIG_COMPAT, so you don't need
that #ifdef.

> +#ifdef __AARCH64EB__
> +		return AUDIT_ARCH_ARMEB; /* only BE on BE */

Well, actually, we only support userspace to be the same endianness as the
kernel, so you that comment is slightly misleading. You could probably avoid
these repeated ifdefs by defining things like ARM64_AUDIT_ARCH and
ARM64_COMPAT_AUDIT_ARCH once depending on endianness.

Will

[PATCH v2 4/6] arm64: audit: Add 32-bit (compat) syscall support

[Will Deacon]

Hi Akashi,

On Fri, Jan 17, 2014 at 08:13:17AM +0000, AKASHI Takahiro wrote:
> Generic audit code also support compat system calls now.
> This patch adds a small piece of architecture dependent code.

[...]

>  static inline int syscall_get_nr(struct task_struct *task,
> @@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task,
>  static inline int syscall_get_arch(struct task_struct *task,
>  				   struct pt_regs *regs)
>  {
> +#ifdef CONFIG_COMPAT
> +	if (is_compat_thread(task_thread_info(task)))

You can call is_compat_thread even when !CONFIG_COMPAT, so you don't need
that #ifdef.

> +#ifdef __AARCH64EB__
> +		return AUDIT_ARCH_ARMEB; /* only BE on BE */

Well, actually, we only support userspace to be the same endianness as the
kernel, so you that comment is slightly misleading. You could probably avoid
these repeated ifdefs by defining things like ARM64_AUDIT_ARCH and
ARM64_COMPAT_AUDIT_ARCH once depending on endianness.

Will

Re: [PATCH v2 0/6] arm64: Add audit support

[Richard Guy Briggs]

On 14/01/17, AKASHI Takahiro wrote:
> This patchset adds system call audit support on arm64.
> Both 32-bit (AUIDT_ARCH_ARM[EB]) and 64-bit tasks (AUDIT_ARCH_AARCH64[EB])
> are supported, but presuming 32-LE on 64-LE or 32-BE on 64-BE.
> 
> There are some prerequisites for this patch to work correctly:
> * "generic compat system call audit support" patch
> * "correct a type mismatch in audit_syscall_exit()" patch
>    (already accepted and queued in 3.14)
> * "Modify a set of system calls in audit class" patch
> * userspace audit tool (v2.3.2 + my patch for arm64)
> 
> All those were already or will be soon posted separately.
> Please review them as well for better understandings.
> 
> This code was tested on both 32-bit and 64-bit LE userland 
> in the following two ways:
> 1) basic operations with auditctl/autrace
>   # auditctl -a exit,always -S openat -F path=/etc/inittab
>   # auditctl -a exit,always -F dir=/tmp -F perm=rw
>   # auditctl -a task,always
>   # autrace /bin/ls
>     by comparing output from autrace with one from strace
> 
> 2) audit-test-code (+ my workarounds for arm/arm64)
>   by running "audit-tool", "filter" and "syscalls" test categories.
> 
> Changes v1 -> v2:
> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>   Please note that a required header, unistd_32.h, is automatically
>   generated from unistd32.h.
> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>   system call in audit_syscall_entry() [6/6]
> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>   which was not intentionally included in v1 because it could be added
>   by "kprobes support".
> 
> 
> AKASHI Takahiro (6):
>   audit: Enable arm64 support
>   arm64: Add regs_return_value() in syscall.h
>   arm64: Add audit support
>   arm64: audit: Add 32-bit (compat) syscall support
>   arm64: audit: Add makefile rule to create unistd_32.h for compat
>     syscalls
>   arm64: audit: Add audit hook in ptrace/syscall_trace
> 
>  arch/arm64/Makefile                  |    4 ++++
>  arch/arm64/include/asm/audit.h       |   20 ++++++++++++++++++++
>  arch/arm64/include/asm/ptrace.h      |    5 +++++
>  arch/arm64/include/asm/syscall.h     |   22 ++++++++++++++++++++++
>  arch/arm64/include/asm/thread_info.h |    1 +
>  arch/arm64/kernel/entry.S            |    3 +++
>  arch/arm64/kernel/ptrace.c           |   12 ++++++++++++
>  arch/arm64/kernel/syscalls/Makefile  |   20 ++++++++++++++++++++
>  include/uapi/linux/audit.h           |    2 ++
>  init/Kconfig                         |    2 +-
>  10 files changed, 90 insertions(+), 1 deletion(-)
>  create mode 100644 arch/arm64/include/asm/audit.h
>  create mode 100644 arch/arm64/kernel/syscalls/Makefile
> 
> -- 
> 1.7.9.5

Set:
Acked-by: Richard Guy Briggs <rgb@redhat.com>

> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 0/6] arm64: Add audit support

[Richard Guy Briggs]

On 14/01/17, AKASHI Takahiro wrote:
> This patchset adds system call audit support on arm64.
> Both 32-bit (AUIDT_ARCH_ARM[EB]) and 64-bit tasks (AUDIT_ARCH_AARCH64[EB])
> are supported, but presuming 32-LE on 64-LE or 32-BE on 64-BE.
> 
> There are some prerequisites for this patch to work correctly:
> * "generic compat system call audit support" patch
> * "correct a type mismatch in audit_syscall_exit()" patch
>    (already accepted and queued in 3.14)
> * "Modify a set of system calls in audit class" patch
> * userspace audit tool (v2.3.2 + my patch for arm64)
> 
> All those were already or will be soon posted separately.
> Please review them as well for better understandings.
> 
> This code was tested on both 32-bit and 64-bit LE userland 
> in the following two ways:
> 1) basic operations with auditctl/autrace
>   # auditctl -a exit,always -S openat -F path=/etc/inittab
>   # auditctl -a exit,always -F dir=/tmp -F perm=rw
>   # auditctl -a task,always
>   # autrace /bin/ls
>     by comparing output from autrace with one from strace
> 
> 2) audit-test-code (+ my workarounds for arm/arm64)
>   by running "audit-tool", "filter" and "syscalls" test categories.
> 
> Changes v1 -> v2:
> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>   Please note that a required header, unistd_32.h, is automatically
>   generated from unistd32.h.
> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>   system call in audit_syscall_entry() [6/6]
> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>   which was not intentionally included in v1 because it could be added
>   by "kprobes support".
> 
> 
> AKASHI Takahiro (6):
>   audit: Enable arm64 support
>   arm64: Add regs_return_value() in syscall.h
>   arm64: Add audit support
>   arm64: audit: Add 32-bit (compat) syscall support
>   arm64: audit: Add makefile rule to create unistd_32.h for compat
>     syscalls
>   arm64: audit: Add audit hook in ptrace/syscall_trace
> 
>  arch/arm64/Makefile                  |    4 ++++
>  arch/arm64/include/asm/audit.h       |   20 ++++++++++++++++++++
>  arch/arm64/include/asm/ptrace.h      |    5 +++++
>  arch/arm64/include/asm/syscall.h     |   22 ++++++++++++++++++++++
>  arch/arm64/include/asm/thread_info.h |    1 +
>  arch/arm64/kernel/entry.S            |    3 +++
>  arch/arm64/kernel/ptrace.c           |   12 ++++++++++++
>  arch/arm64/kernel/syscalls/Makefile  |   20 ++++++++++++++++++++
>  include/uapi/linux/audit.h           |    2 ++
>  init/Kconfig                         |    2 +-
>  10 files changed, 90 insertions(+), 1 deletion(-)
>  create mode 100644 arch/arm64/include/asm/audit.h
>  create mode 100644 arch/arm64/kernel/syscalls/Makefile
> 
> -- 
> 1.7.9.5

Set:
Acked-by: Richard Guy Briggs <rgb@redhat.com>

> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v2 0/6] arm64: Add audit support

[Richard Guy Briggs]

On 14/01/17, AKASHI Takahiro wrote:
> This patchset adds system call audit support on arm64.
> Both 32-bit (AUIDT_ARCH_ARM[EB]) and 64-bit tasks (AUDIT_ARCH_AARCH64[EB])
> are supported, but presuming 32-LE on 64-LE or 32-BE on 64-BE.
> 
> There are some prerequisites for this patch to work correctly:
> * "generic compat system call audit support" patch
> * "correct a type mismatch in audit_syscall_exit()" patch
>    (already accepted and queued in 3.14)
> * "Modify a set of system calls in audit class" patch
> * userspace audit tool (v2.3.2 + my patch for arm64)
> 
> All those were already or will be soon posted separately.
> Please review them as well for better understandings.
> 
> This code was tested on both 32-bit and 64-bit LE userland 
> in the following two ways:
> 1) basic operations with auditctl/autrace
>   # auditctl -a exit,always -S openat -F path=/etc/inittab
>   # auditctl -a exit,always -F dir=/tmp -F perm=rw
>   # auditctl -a task,always
>   # autrace /bin/ls
>     by comparing output from autrace with one from strace
> 
> 2) audit-test-code (+ my workarounds for arm/arm64)
>   by running "audit-tool", "filter" and "syscalls" test categories.
> 
> Changes v1 -> v2:
> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>   Please note that a required header, unistd_32.h, is automatically
>   generated from unistd32.h.
> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>   system call in audit_syscall_entry() [6/6]
> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>   which was not intentionally included in v1 because it could be added
>   by "kprobes support".
> 
> 
> AKASHI Takahiro (6):
>   audit: Enable arm64 support
>   arm64: Add regs_return_value() in syscall.h
>   arm64: Add audit support
>   arm64: audit: Add 32-bit (compat) syscall support
>   arm64: audit: Add makefile rule to create unistd_32.h for compat
>     syscalls
>   arm64: audit: Add audit hook in ptrace/syscall_trace
> 
>  arch/arm64/Makefile                  |    4 ++++
>  arch/arm64/include/asm/audit.h       |   20 ++++++++++++++++++++
>  arch/arm64/include/asm/ptrace.h      |    5 +++++
>  arch/arm64/include/asm/syscall.h     |   22 ++++++++++++++++++++++
>  arch/arm64/include/asm/thread_info.h |    1 +
>  arch/arm64/kernel/entry.S            |    3 +++
>  arch/arm64/kernel/ptrace.c           |   12 ++++++++++++
>  arch/arm64/kernel/syscalls/Makefile  |   20 ++++++++++++++++++++
>  include/uapi/linux/audit.h           |    2 ++
>  init/Kconfig                         |    2 +-
>  10 files changed, 90 insertions(+), 1 deletion(-)
>  create mode 100644 arch/arm64/include/asm/audit.h
>  create mode 100644 arch/arm64/kernel/syscalls/Makefile
> 
> -- 
> 1.7.9.5

Set:
Acked-by: Richard Guy Briggs <rgb@redhat.com>

> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 4/6] arm64: audit: Add 32-bit (compat) syscall support

[AKASHI Takahiro]

On 01/18/2014 01:46 AM, Will Deacon wrote:
> Hi Akashi,
>
> On Fri, Jan 17, 2014 at 08:13:17AM +0000, AKASHI Takahiro wrote:
>> Generic audit code also support compat system calls now.
>> This patch adds a small piece of architecture dependent code.
>
> [...]
>
>>   static inline int syscall_get_nr(struct task_struct *task,
>> @@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>   static inline int syscall_get_arch(struct task_struct *task,
>>   				   struct pt_regs *regs)
>>   {
>> +#ifdef CONFIG_COMPAT
>> +	if (is_compat_thread(task_thread_info(task)))
>
> You can call is_compat_thread even when !CONFIG_COMPAT, so you don't need
> that #ifdef.

Right. I will remove it.

>> +#ifdef __AARCH64EB__
>> +		return AUDIT_ARCH_ARMEB; /* only BE on BE */
>
> Well, actually, we only support userspace to be the same endianness as the
> kernel, so you that comment is slightly misleading. You could probably avoid
> these repeated ifdefs by defining things like ARM64_AUDIT_ARCH and
> ARM64_COMPAT_AUDIT_ARCH once depending on endianness.

As in the discussions about "audit(userspace)", if we don't have to care
about endianness, I will remove this #ifdef instead.

Thanks,
-Takahiro AKASHI

> Will
>

Re: [PATCH v2 4/6] arm64: audit: Add 32-bit (compat) syscall support

[AKASHI Takahiro]

On 01/18/2014 01:46 AM, Will Deacon wrote:
> Hi Akashi,
>
> On Fri, Jan 17, 2014 at 08:13:17AM +0000, AKASHI Takahiro wrote:
>> Generic audit code also support compat system calls now.
>> This patch adds a small piece of architecture dependent code.
>
> [...]
>
>>   static inline int syscall_get_nr(struct task_struct *task,
>> @@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>   static inline int syscall_get_arch(struct task_struct *task,
>>   				   struct pt_regs *regs)
>>   {
>> +#ifdef CONFIG_COMPAT
>> +	if (is_compat_thread(task_thread_info(task)))
>
> You can call is_compat_thread even when !CONFIG_COMPAT, so you don't need
> that #ifdef.

Right. I will remove it.

>> +#ifdef __AARCH64EB__
>> +		return AUDIT_ARCH_ARMEB; /* only BE on BE */
>
> Well, actually, we only support userspace to be the same endianness as the
> kernel, so you that comment is slightly misleading. You could probably avoid
> these repeated ifdefs by defining things like ARM64_AUDIT_ARCH and
> ARM64_COMPAT_AUDIT_ARCH once depending on endianness.

As in the discussions about "audit(userspace)", if we don't have to care
about endianness, I will remove this #ifdef instead.

Thanks,
-Takahiro AKASHI

> Will
>

[PATCH v2 4/6] arm64: audit: Add 32-bit (compat) syscall support

[AKASHI Takahiro]

On 01/18/2014 01:46 AM, Will Deacon wrote:
> Hi Akashi,
>
> On Fri, Jan 17, 2014 at 08:13:17AM +0000, AKASHI Takahiro wrote:
>> Generic audit code also support compat system calls now.
>> This patch adds a small piece of architecture dependent code.
>
> [...]
>
>>   static inline int syscall_get_nr(struct task_struct *task,
>> @@ -109,6 +110,15 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>   static inline int syscall_get_arch(struct task_struct *task,
>>   				   struct pt_regs *regs)
>>   {
>> +#ifdef CONFIG_COMPAT
>> +	if (is_compat_thread(task_thread_info(task)))
>
> You can call is_compat_thread even when !CONFIG_COMPAT, so you don't need
> that #ifdef.

Right. I will remove it.

>> +#ifdef __AARCH64EB__
>> +		return AUDIT_ARCH_ARMEB; /* only BE on BE */
>
> Well, actually, we only support userspace to be the same endianness as the
> kernel, so you that comment is slightly misleading. You could probably avoid
> these repeated ifdefs by defining things like ARM64_AUDIT_ARCH and
> ARM64_COMPAT_AUDIT_ARCH once depending on endianness.

As in the discussions about "audit(userspace)", if we don't have to care
about endianness, I will remove this #ifdef instead.

Thanks,
-Takahiro AKASHI

> Will
>

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Catalin Marinas]

On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -327,6 +327,8 @@ enum {
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> diff --git a/init/Kconfig b/init/Kconfig
> index 79383d3..3aae602 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -284,7 +284,7 @@ config AUDIT
>  
>  config AUDITSYSCALL
>  	bool "Enable system-call auditing support"
> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)

The usual comment for such changes: could you please clean this up and
just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?

-- 
Catalin

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Catalin Marinas]

On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -327,6 +327,8 @@ enum {
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> diff --git a/init/Kconfig b/init/Kconfig
> index 79383d3..3aae602 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -284,7 +284,7 @@ config AUDIT
>  
>  config AUDITSYSCALL
>  	bool "Enable system-call auditing support"
> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)

The usual comment for such changes: could you please clean this up and
just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?

-- 
Catalin

[PATCH v2 1/6] audit: Enable arm64 support

[Catalin Marinas]

On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -327,6 +327,8 @@ enum {
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> diff --git a/init/Kconfig b/init/Kconfig
> index 79383d3..3aae602 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -284,7 +284,7 @@ config AUDIT
>  
>  config AUDITSYSCALL
>  	bool "Enable system-call auditing support"
> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)

The usual comment for such changes: could you please clean this up and
just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?

-- 
Catalin

Re: [PATCH v2 5/6] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls

[Catalin Marinas]

On Fri, Jan 17, 2014 at 08:13:18AM +0000, AKASHI Takahiro wrote:
> generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h
> for __NR_xyx compat syscall numbers. This is a different file from unistd32.h
> on arm64 and so it must be generated from unistd32.h.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/Makefile                 |    4 ++++
>  arch/arm64/kernel/syscalls/Makefile |   20 ++++++++++++++++++++
>  2 files changed, 24 insertions(+)
>  create mode 100644 arch/arm64/kernel/syscalls/Makefile
> 
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 2fceb71..6d24f92 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -72,6 +72,10 @@ PHONY += vdso_install
>  vdso_install:
>  	$(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
>  
> +# Compat syscall header generation
> +archheaders:
> +	$(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@

See my other post to the lib/compat_audit.c file. I think that's too
complex for what you need.

-- 
Catalin

Re: [PATCH v2 5/6] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls

[Catalin Marinas]

On Fri, Jan 17, 2014 at 08:13:18AM +0000, AKASHI Takahiro wrote:
> generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h
> for __NR_xyx compat syscall numbers. This is a different file from unistd32.h
> on arm64 and so it must be generated from unistd32.h.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/Makefile                 |    4 ++++
>  arch/arm64/kernel/syscalls/Makefile |   20 ++++++++++++++++++++
>  2 files changed, 24 insertions(+)
>  create mode 100644 arch/arm64/kernel/syscalls/Makefile
> 
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 2fceb71..6d24f92 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -72,6 +72,10 @@ PHONY += vdso_install
>  vdso_install:
>  	$(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
>  
> +# Compat syscall header generation
> +archheaders:
> +	$(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@

See my other post to the lib/compat_audit.c file. I think that's too
complex for what you need.

-- 
Catalin

[PATCH v2 5/6] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls

[Catalin Marinas]

On Fri, Jan 17, 2014 at 08:13:18AM +0000, AKASHI Takahiro wrote:
> generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h
> for __NR_xyx compat syscall numbers. This is a different file from unistd32.h
> on arm64 and so it must be generated from unistd32.h.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/Makefile                 |    4 ++++
>  arch/arm64/kernel/syscalls/Makefile |   20 ++++++++++++++++++++
>  2 files changed, 24 insertions(+)
>  create mode 100644 arch/arm64/kernel/syscalls/Makefile
> 
> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
> index 2fceb71..6d24f92 100644
> --- a/arch/arm64/Makefile
> +++ b/arch/arm64/Makefile
> @@ -72,6 +72,10 @@ PHONY += vdso_install
>  vdso_install:
>  	$(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
>  
> +# Compat syscall header generation
> +archheaders:
> +	$(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@

See my other post to the lib/compat_audit.c file. I think that's too
complex for what you need.

-- 
Catalin

Re: [PATCH v2 6/6] arm64: audit: Add audit hook in ptrace/syscall_trace

[Catalin Marinas]

On Fri, Jan 17, 2014 at 08:13:19AM +0000, AKASHI Takahiro wrote:
> @@ -1064,6 +1066,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> +#ifdef CONFIG_AUDITSYSCALL
> +	if (dir)
> +		audit_syscall_exit(regs);
> +	else
> +		audit_syscall_entry(syscall_get_arch(current, regs),
> +			(int)regs->syscallno,
> +			regs->orig_x0, regs->regs[1],
> +			regs->regs[2], regs->regs[3]);
> +#endif /* CONFIG_AUDITSYSCALL */

It should work without the #ifdef as audit_syscall_exit/entry are dummy
static inline functions when !CONFIG_AUDITSYSCALL.

-- 
Catalin

Re: [PATCH v2 6/6] arm64: audit: Add audit hook in ptrace/syscall_trace

[Catalin Marinas]

On Fri, Jan 17, 2014 at 08:13:19AM +0000, AKASHI Takahiro wrote:
> @@ -1064,6 +1066,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> +#ifdef CONFIG_AUDITSYSCALL
> +	if (dir)
> +		audit_syscall_exit(regs);
> +	else
> +		audit_syscall_entry(syscall_get_arch(current, regs),
> +			(int)regs->syscallno,
> +			regs->orig_x0, regs->regs[1],
> +			regs->regs[2], regs->regs[3]);
> +#endif /* CONFIG_AUDITSYSCALL */

It should work without the #ifdef as audit_syscall_exit/entry are dummy
static inline functions when !CONFIG_AUDITSYSCALL.

-- 
Catalin

[PATCH v2 6/6] arm64: audit: Add audit hook in ptrace/syscall_trace

[Catalin Marinas]

On Fri, Jan 17, 2014 at 08:13:19AM +0000, AKASHI Takahiro wrote:
> @@ -1064,6 +1066,16 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> +#ifdef CONFIG_AUDITSYSCALL
> +	if (dir)
> +		audit_syscall_exit(regs);
> +	else
> +		audit_syscall_entry(syscall_get_arch(current, regs),
> +			(int)regs->syscallno,
> +			regs->orig_x0, regs->regs[1],
> +			regs->regs[2], regs->regs[3]);
> +#endif /* CONFIG_AUDITSYSCALL */

It should work without the #ifdef as audit_syscall_exit/entry are dummy
static inline functions when !CONFIG_AUDITSYSCALL.

-- 
Catalin

Re: [PATCH v2 1/6] audit: Enable arm64 support

[AKASHI Takahiro]

[To audit maintainers]

On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -327,6 +327,8 @@ enum {
>>   /* distinguish syscall tables */
>>   #define __AUDIT_ARCH_64BIT 0x80000000
>>   #define __AUDIT_ARCH_LE	   0x40000000
>> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
>>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
>> diff --git a/init/Kconfig b/init/Kconfig
>> index 79383d3..3aae602 100644
>> --- a/init/Kconfig
>> +++ b/init/Kconfig
>> @@ -284,7 +284,7 @@ config AUDIT
>>
>>   config AUDITSYSCALL
>>   	bool "Enable system-call auditing support"
>> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
>> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
>
> The usual comment for such changes: could you please clean this up and
> just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?

Do you agree to this change?

If so, I can create a patch, but have some concerns:
1) I can't verify it on other architectures than (arm &) arm64.
2) Some architectures (microblaze, mips, openrisc) are not listed here, but
    their ptrace.c have a call to audit_syscall_entry/exit().
    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
So I'm afraid that the change might break someone's assumption.

Thanks,
-Takahiro AKASHI

Re: [PATCH v2 1/6] audit: Enable arm64 support

[AKASHI Takahiro]

[To audit maintainers]

On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -327,6 +327,8 @@ enum {
>>   /* distinguish syscall tables */
>>   #define __AUDIT_ARCH_64BIT 0x80000000
>>   #define __AUDIT_ARCH_LE	   0x40000000
>> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
>>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
>> diff --git a/init/Kconfig b/init/Kconfig
>> index 79383d3..3aae602 100644
>> --- a/init/Kconfig
>> +++ b/init/Kconfig
>> @@ -284,7 +284,7 @@ config AUDIT
>>
>>   config AUDITSYSCALL
>>   	bool "Enable system-call auditing support"
>> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
>> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
>
> The usual comment for such changes: could you please clean this up and
> just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?

Do you agree to this change?

If so, I can create a patch, but have some concerns:
1) I can't verify it on other architectures than (arm &) arm64.
2) Some architectures (microblaze, mips, openrisc) are not listed here, but
    their ptrace.c have a call to audit_syscall_entry/exit().
    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
So I'm afraid that the change might break someone's assumption.

Thanks,
-Takahiro AKASHI

[PATCH v2 1/6] audit: Enable arm64 support

[AKASHI Takahiro]

[To audit maintainers]

On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -327,6 +327,8 @@ enum {
>>   /* distinguish syscall tables */
>>   #define __AUDIT_ARCH_64BIT 0x80000000
>>   #define __AUDIT_ARCH_LE	   0x40000000
>> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
>>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
>> diff --git a/init/Kconfig b/init/Kconfig
>> index 79383d3..3aae602 100644
>> --- a/init/Kconfig
>> +++ b/init/Kconfig
>> @@ -284,7 +284,7 @@ config AUDIT
>>
>>   config AUDITSYSCALL
>>   	bool "Enable system-call auditing support"
>> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
>> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
>
> The usual comment for such changes: could you please clean this up and
> just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?

Do you agree to this change?

If so, I can create a patch, but have some concerns:
1) I can't verify it on other architectures than (arm &) arm64.
2) Some architectures (microblaze, mips, openrisc) are not listed here, but
    their ptrace.c have a call to audit_syscall_entry/exit().
    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
So I'm afraid that the change might break someone's assumption.

Thanks,
-Takahiro AKASHI

Re: [PATCH v2 5/6] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls

[AKASHI Takahiro]

Catalin,

On 01/23/2014 11:53 PM, Catalin Marinas wrote:
> On Fri, Jan 17, 2014 at 08:13:18AM +0000, AKASHI Takahiro wrote:
>> generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h
>> for __NR_xyx compat syscall numbers. This is a different file from unistd32.h
>> on arm64 and so it must be generated from unistd32.h.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/Makefile                 |    4 ++++
>>   arch/arm64/kernel/syscalls/Makefile |   20 ++++++++++++++++++++
>>   2 files changed, 24 insertions(+)
>>   create mode 100644 arch/arm64/kernel/syscalls/Makefile
>>
>> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
>> index 2fceb71..6d24f92 100644
>> --- a/arch/arm64/Makefile
>> +++ b/arch/arm64/Makefile
>> @@ -72,6 +72,10 @@ PHONY += vdso_install
>>   vdso_install:
>>   	$(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
>>
>> +# Compat syscall header generation
>> +archheaders:
>> +	$(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@
>
> See my other post to the lib/compat_audit.c file. I think that's too
> complex for what you need.

Generation script is getting more complexed than I assumed at first
because some of system call names are a bit inconsistent with native 32-bit
system calls, for example, fchown16 vs. fchown, fchown vs. fchown32.

Now my tentative sed script looks like:
+quiet_cmd_syshdr = SYSHDR $@
+        cmd_syshdr = cat $< | sed -r \
+        -e 's/compat_//' \
+        -e 's/_wrapper//' \
+        -e 's/(sys_[fl]?chown)(\))/\132\)/' \
+        -e 's/(sys_[gs]et)(|e|fs|re|res)(uid\))/\1\2uid32\)/' \
+        -e 's/(sys_[gs]et)(|e|fs|re|res)(gid\))/\1\2gid32\)/' \
+        -e 's/(sys_[gs]etgroups)(\))/\132\)/' \
+        -e 's/(sys_new)(.*)/sys_\2/' \
+        -e 's/sys_mmap_pgoff/sys_mmap2/' \
+        -e 's/(sys_[_a-z]*)16(.*)/\1\2/' \
+        -e 's/^__SYSCALL\((.*),[ ]*sys_([^)].*)\).*/\#define __NR_\2 \1/p;d' \
+        | grep -v __NR_ni_syscall > $@

So, yeah, I agree with you now.

-Takahiro AKASHI

Re: [PATCH v2 5/6] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls

[AKASHI Takahiro]

Catalin,

On 01/23/2014 11:53 PM, Catalin Marinas wrote:
> On Fri, Jan 17, 2014 at 08:13:18AM +0000, AKASHI Takahiro wrote:
>> generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h
>> for __NR_xyx compat syscall numbers. This is a different file from unistd32.h
>> on arm64 and so it must be generated from unistd32.h.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/Makefile                 |    4 ++++
>>   arch/arm64/kernel/syscalls/Makefile |   20 ++++++++++++++++++++
>>   2 files changed, 24 insertions(+)
>>   create mode 100644 arch/arm64/kernel/syscalls/Makefile
>>
>> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
>> index 2fceb71..6d24f92 100644
>> --- a/arch/arm64/Makefile
>> +++ b/arch/arm64/Makefile
>> @@ -72,6 +72,10 @@ PHONY += vdso_install
>>   vdso_install:
>>   	$(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
>>
>> +# Compat syscall header generation
>> +archheaders:
>> +	$(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@
>
> See my other post to the lib/compat_audit.c file. I think that's too
> complex for what you need.

Generation script is getting more complexed than I assumed at first
because some of system call names are a bit inconsistent with native 32-bit
system calls, for example, fchown16 vs. fchown, fchown vs. fchown32.

Now my tentative sed script looks like:
+quiet_cmd_syshdr = SYSHDR $@
+        cmd_syshdr = cat $< | sed -r \
+        -e 's/compat_//' \
+        -e 's/_wrapper//' \
+        -e 's/(sys_[fl]?chown)(\))/\132\)/' \
+        -e 's/(sys_[gs]et)(|e|fs|re|res)(uid\))/\1\2uid32\)/' \
+        -e 's/(sys_[gs]et)(|e|fs|re|res)(gid\))/\1\2gid32\)/' \
+        -e 's/(sys_[gs]etgroups)(\))/\132\)/' \
+        -e 's/(sys_new)(.*)/sys_\2/' \
+        -e 's/sys_mmap_pgoff/sys_mmap2/' \
+        -e 's/(sys_[_a-z]*)16(.*)/\1\2/' \
+        -e 's/^__SYSCALL\((.*),[ ]*sys_([^)].*)\).*/\#define __NR_\2 \1/p;d' \
+        | grep -v __NR_ni_syscall > $@

So, yeah, I agree with you now.

-Takahiro AKASHI

[PATCH v2 5/6] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls

[AKASHI Takahiro]

Catalin,

On 01/23/2014 11:53 PM, Catalin Marinas wrote:
> On Fri, Jan 17, 2014 at 08:13:18AM +0000, AKASHI Takahiro wrote:
>> generic compat sycall audit (lib/compat_audit.c) requires unistd_32.h
>> for __NR_xyx compat syscall numbers. This is a different file from unistd32.h
>> on arm64 and so it must be generated from unistd32.h.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/Makefile                 |    4 ++++
>>   arch/arm64/kernel/syscalls/Makefile |   20 ++++++++++++++++++++
>>   2 files changed, 24 insertions(+)
>>   create mode 100644 arch/arm64/kernel/syscalls/Makefile
>>
>> diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile
>> index 2fceb71..6d24f92 100644
>> --- a/arch/arm64/Makefile
>> +++ b/arch/arm64/Makefile
>> @@ -72,6 +72,10 @@ PHONY += vdso_install
>>   vdso_install:
>>   	$(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso $@
>>
>> +# Compat syscall header generation
>> +archheaders:
>> +	$(Q)$(MAKE) $(build)=arch/arm64/kernel/syscalls $@
>
> See my other post to the lib/compat_audit.c file. I think that's too
> complex for what you need.

Generation script is getting more complexed than I assumed at first
because some of system call names are a bit inconsistent with native 32-bit
system calls, for example, fchown16 vs. fchown, fchown vs. fchown32.

Now my tentative sed script looks like:
+quiet_cmd_syshdr = SYSHDR $@
+        cmd_syshdr = cat $< | sed -r \
+        -e 's/compat_//' \
+        -e 's/_wrapper//' \
+        -e 's/(sys_[fl]?chown)(\))/\132\)/' \
+        -e 's/(sys_[gs]et)(|e|fs|re|res)(uid\))/\1\2uid32\)/' \
+        -e 's/(sys_[gs]et)(|e|fs|re|res)(gid\))/\1\2gid32\)/' \
+        -e 's/(sys_[gs]etgroups)(\))/\132\)/' \
+        -e 's/(sys_new)(.*)/sys_\2/' \
+        -e 's/sys_mmap_pgoff/sys_mmap2/' \
+        -e 's/(sys_[_a-z]*)16(.*)/\1\2/' \
+        -e 's/^__SYSCALL\((.*),[ ]*sys_([^)].*)\).*/\#define __NR_\2 \1/p;d' \
+        | grep -v __NR_ni_syscall > $@

So, yeah, I agree with you now.

-Takahiro AKASHI

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Catalin Marinas]

On Mon, Jan 27, 2014 at 05:12:33AM +0000, AKASHI Takahiro wrote:
> [To audit maintainers]
> 
> On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> > On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> >> --- a/include/uapi/linux/audit.h
> >> +++ b/include/uapi/linux/audit.h
> >> @@ -327,6 +327,8 @@ enum {
> >>   /* distinguish syscall tables */
> >>   #define __AUDIT_ARCH_64BIT 0x80000000
> >>   #define __AUDIT_ARCH_LE	   0x40000000
> >> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> >>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
> >> diff --git a/init/Kconfig b/init/Kconfig
> >> index 79383d3..3aae602 100644
> >> --- a/init/Kconfig
> >> +++ b/init/Kconfig
> >> @@ -284,7 +284,7 @@ config AUDIT
> >>
> >>   config AUDITSYSCALL
> >>   	bool "Enable system-call auditing support"
> >> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> >> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> >
> > The usual comment for such changes: could you please clean this up and
> > just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> 
> Do you agree to this change?
> 
> If so, I can create a patch, but have some concerns:
> 1) I can't verify it on other architectures than (arm &) arm64.

You could try to build. It's really a trivial change, could get away
with code inspection (and some automatic building when it gets to
linux-next).

In init/Kconfig:

config HAVE_ARCH_AUDITSYSCALL
	bool

and:

-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on HAVE_ARCH_AUDITSYSCALL

In the corresponding arch/*/Kconfig:

	select HAVE_ARCH_AUDITSYSCALL

> 2) Some architectures (microblaze, mips, openrisc) are not listed here, but

For those, you don't need to select HAVE_ARCH_AUDITSYSCALL.

>     their ptrace.c have a call to audit_syscall_entry/exit().
>     (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)


They are not NULL but empty inline functions, so they don't have any
effect.

> So I'm afraid that the change might break someone's assumption.

I'm pretty sure it won't ;).

-- 
Catalin

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Catalin Marinas]

On Mon, Jan 27, 2014 at 05:12:33AM +0000, AKASHI Takahiro wrote:
> [To audit maintainers]
> 
> On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> > On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> >> --- a/include/uapi/linux/audit.h
> >> +++ b/include/uapi/linux/audit.h
> >> @@ -327,6 +327,8 @@ enum {
> >>   /* distinguish syscall tables */
> >>   #define __AUDIT_ARCH_64BIT 0x80000000
> >>   #define __AUDIT_ARCH_LE	   0x40000000
> >> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> >>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
> >> diff --git a/init/Kconfig b/init/Kconfig
> >> index 79383d3..3aae602 100644
> >> --- a/init/Kconfig
> >> +++ b/init/Kconfig
> >> @@ -284,7 +284,7 @@ config AUDIT
> >>
> >>   config AUDITSYSCALL
> >>   	bool "Enable system-call auditing support"
> >> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> >> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> >
> > The usual comment for such changes: could you please clean this up and
> > just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> 
> Do you agree to this change?
> 
> If so, I can create a patch, but have some concerns:
> 1) I can't verify it on other architectures than (arm &) arm64.

You could try to build. It's really a trivial change, could get away
with code inspection (and some automatic building when it gets to
linux-next).

In init/Kconfig:

config HAVE_ARCH_AUDITSYSCALL
	bool

and:

-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on HAVE_ARCH_AUDITSYSCALL

In the corresponding arch/*/Kconfig:

	select HAVE_ARCH_AUDITSYSCALL

> 2) Some architectures (microblaze, mips, openrisc) are not listed here, but

For those, you don't need to select HAVE_ARCH_AUDITSYSCALL.

>     their ptrace.c have a call to audit_syscall_entry/exit().
>     (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)


They are not NULL but empty inline functions, so they don't have any
effect.

> So I'm afraid that the change might break someone's assumption.

I'm pretty sure it won't ;).

-- 
Catalin

[PATCH v2 1/6] audit: Enable arm64 support

[Catalin Marinas]

On Mon, Jan 27, 2014 at 05:12:33AM +0000, AKASHI Takahiro wrote:
> [To audit maintainers]
> 
> On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> > On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> >> --- a/include/uapi/linux/audit.h
> >> +++ b/include/uapi/linux/audit.h
> >> @@ -327,6 +327,8 @@ enum {
> >>   /* distinguish syscall tables */
> >>   #define __AUDIT_ARCH_64BIT 0x80000000
> >>   #define __AUDIT_ARCH_LE	   0x40000000
> >> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> >>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
> >> diff --git a/init/Kconfig b/init/Kconfig
> >> index 79383d3..3aae602 100644
> >> --- a/init/Kconfig
> >> +++ b/init/Kconfig
> >> @@ -284,7 +284,7 @@ config AUDIT
> >>
> >>   config AUDITSYSCALL
> >>   	bool "Enable system-call auditing support"
> >> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> >> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> >
> > The usual comment for such changes: could you please clean this up and
> > just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> 
> Do you agree to this change?
> 
> If so, I can create a patch, but have some concerns:
> 1) I can't verify it on other architectures than (arm &) arm64.

You could try to build. It's really a trivial change, could get away
with code inspection (and some automatic building when it gets to
linux-next).

In init/Kconfig:

config HAVE_ARCH_AUDITSYSCALL
	bool

and:

-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on HAVE_ARCH_AUDITSYSCALL

In the corresponding arch/*/Kconfig:

	select HAVE_ARCH_AUDITSYSCALL

> 2) Some architectures (microblaze, mips, openrisc) are not listed here, but

For those, you don't need to select HAVE_ARCH_AUDITSYSCALL.

>     their ptrace.c have a call to audit_syscall_entry/exit().
>     (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)


They are not NULL but empty inline functions, so they don't have any
effect.

> So I'm afraid that the change might break someone's assumption.

I'm pretty sure it won't ;).

-- 
Catalin

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/01/27, AKASHI Takahiro wrote:
> [To audit maintainers]
> 
> On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> >On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> >>--- a/include/uapi/linux/audit.h
> >>+++ b/include/uapi/linux/audit.h
> >>@@ -327,6 +327,8 @@ enum {
> >>  /* distinguish syscall tables */
> >>  #define __AUDIT_ARCH_64BIT 0x80000000
> >>  #define __AUDIT_ARCH_LE	   0x40000000
> >>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> >>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> >>diff --git a/init/Kconfig b/init/Kconfig
> >>index 79383d3..3aae602 100644
> >>--- a/init/Kconfig
> >>+++ b/init/Kconfig
> >>@@ -284,7 +284,7 @@ config AUDIT
> >>
> >>  config AUDITSYSCALL
> >>  	bool "Enable system-call auditing support"
> >>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> >>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> >
> >The usual comment for such changes: could you please clean this up and
> >just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> 
> Do you agree to this change?
> 
> If so, I can create a patch, but have some concerns:
> 1) I can't verify it on other architectures than (arm &) arm64.
> 2) Some architectures (microblaze, mips, openrisc) are not listed here, but
>    their ptrace.c have a call to audit_syscall_entry/exit().
>    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)

I can try: ppc s390 x86_64 ppc64 i686 s390x

> So I'm afraid that the change might break someone's assumption.
> 
> Thanks,
> -Takahiro AKASHI

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/01/27, AKASHI Takahiro wrote:
> [To audit maintainers]
> 
> On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> >On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> >>--- a/include/uapi/linux/audit.h
> >>+++ b/include/uapi/linux/audit.h
> >>@@ -327,6 +327,8 @@ enum {
> >>  /* distinguish syscall tables */
> >>  #define __AUDIT_ARCH_64BIT 0x80000000
> >>  #define __AUDIT_ARCH_LE	   0x40000000
> >>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> >>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> >>diff --git a/init/Kconfig b/init/Kconfig
> >>index 79383d3..3aae602 100644
> >>--- a/init/Kconfig
> >>+++ b/init/Kconfig
> >>@@ -284,7 +284,7 @@ config AUDIT
> >>
> >>  config AUDITSYSCALL
> >>  	bool "Enable system-call auditing support"
> >>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> >>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> >
> >The usual comment for such changes: could you please clean this up and
> >just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> 
> Do you agree to this change?
> 
> If so, I can create a patch, but have some concerns:
> 1) I can't verify it on other architectures than (arm &) arm64.
> 2) Some architectures (microblaze, mips, openrisc) are not listed here, but
>    their ptrace.c have a call to audit_syscall_entry/exit().
>    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)

I can try: ppc s390 x86_64 ppc64 i686 s390x

> So I'm afraid that the change might break someone's assumption.
> 
> Thanks,
> -Takahiro AKASHI

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/01/27, AKASHI Takahiro wrote:
> [To audit maintainers]
> 
> On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> >On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> >>--- a/include/uapi/linux/audit.h
> >>+++ b/include/uapi/linux/audit.h
> >>@@ -327,6 +327,8 @@ enum {
> >>  /* distinguish syscall tables */
> >>  #define __AUDIT_ARCH_64BIT 0x80000000
> >>  #define __AUDIT_ARCH_LE	   0x40000000
> >>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> >>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> >>diff --git a/init/Kconfig b/init/Kconfig
> >>index 79383d3..3aae602 100644
> >>--- a/init/Kconfig
> >>+++ b/init/Kconfig
> >>@@ -284,7 +284,7 @@ config AUDIT
> >>
> >>  config AUDITSYSCALL
> >>  	bool "Enable system-call auditing support"
> >>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> >>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> >
> >The usual comment for such changes: could you please clean this up and
> >just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> 
> Do you agree to this change?
> 
> If so, I can create a patch, but have some concerns:
> 1) I can't verify it on other architectures than (arm &) arm64.
> 2) Some architectures (microblaze, mips, openrisc) are not listed here, but
>    their ptrace.c have a call to audit_syscall_entry/exit().
>    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)

I can try: ppc s390 x86_64 ppc64 i686 s390x

> So I'm afraid that the change might break someone's assumption.
> 
> Thanks,
> -Takahiro AKASHI

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/01/29, Richard Guy Briggs wrote:
> On 14/01/27, AKASHI Takahiro wrote:
> > [To audit maintainers]
> > 
> > On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> > >On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> > >>--- a/include/uapi/linux/audit.h
> > >>+++ b/include/uapi/linux/audit.h
> > >>@@ -327,6 +327,8 @@ enum {
> > >>  /* distinguish syscall tables */
> > >>  #define __AUDIT_ARCH_64BIT 0x80000000
> > >>  #define __AUDIT_ARCH_LE	   0x40000000
> > >>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> > >>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> > >>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> > >>diff --git a/init/Kconfig b/init/Kconfig
> > >>index 79383d3..3aae602 100644
> > >>--- a/init/Kconfig
> > >>+++ b/init/Kconfig
> > >>@@ -284,7 +284,7 @@ config AUDIT
> > >>
> > >>  config AUDITSYSCALL
> > >>  	bool "Enable system-call auditing support"
> > >>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> > >>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> > >
> > >The usual comment for such changes: could you please clean this up and
> > >just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> > 
> > Do you agree to this change?
> > 
> > If so, I can create a patch, but have some concerns:
> > 1) I can't verify it on other architectures than (arm &) arm64.
> > 2) Some architectures (microblaze, mips, openrisc) are not listed here, but
> >    their ptrace.c have a call to audit_syscall_entry/exit().
> >    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
> 
> I can try: ppc s390 x86_64 ppc64 i686 s390x

These arches above all pass compile and basic tests with the following patches applied:

	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)

	audit: Modify a set of system calls in audit class definitions (already upstream)

	[PATCH v3] audit: Add generic compat syscall support

	[PATCH v2] audit: Enable arm64 support
	[PATCH v2] arm64: Add regs_return_value() in syscall.h
	[PATCH v2] arm64: Add audit support
	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace

> > So I'm afraid that the change might break someone's assumption.
> > 
> > Thanks,
> > -Takahiro AKASHI
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/01/29, Richard Guy Briggs wrote:
> On 14/01/27, AKASHI Takahiro wrote:
> > [To audit maintainers]
> > 
> > On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> > >On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> > >>--- a/include/uapi/linux/audit.h
> > >>+++ b/include/uapi/linux/audit.h
> > >>@@ -327,6 +327,8 @@ enum {
> > >>  /* distinguish syscall tables */
> > >>  #define __AUDIT_ARCH_64BIT 0x80000000
> > >>  #define __AUDIT_ARCH_LE	   0x40000000
> > >>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> > >>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> > >>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> > >>diff --git a/init/Kconfig b/init/Kconfig
> > >>index 79383d3..3aae602 100644
> > >>--- a/init/Kconfig
> > >>+++ b/init/Kconfig
> > >>@@ -284,7 +284,7 @@ config AUDIT
> > >>
> > >>  config AUDITSYSCALL
> > >>  	bool "Enable system-call auditing support"
> > >>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> > >>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> > >
> > >The usual comment for such changes: could you please clean this up and
> > >just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> > 
> > Do you agree to this change?
> > 
> > If so, I can create a patch, but have some concerns:
> > 1) I can't verify it on other architectures than (arm &) arm64.
> > 2) Some architectures (microblaze, mips, openrisc) are not listed here, but
> >    their ptrace.c have a call to audit_syscall_entry/exit().
> >    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
> 
> I can try: ppc s390 x86_64 ppc64 i686 s390x

These arches above all pass compile and basic tests with the following patches applied:

	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)

	audit: Modify a set of system calls in audit class definitions (already upstream)

	[PATCH v3] audit: Add generic compat syscall support

	[PATCH v2] audit: Enable arm64 support
	[PATCH v2] arm64: Add regs_return_value() in syscall.h
	[PATCH v2] arm64: Add audit support
	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace

> > So I'm afraid that the change might break someone's assumption.
> > 
> > Thanks,
> > -Takahiro AKASHI
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/01/29, Richard Guy Briggs wrote:
> On 14/01/27, AKASHI Takahiro wrote:
> > [To audit maintainers]
> > 
> > On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> > >On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> > >>--- a/include/uapi/linux/audit.h
> > >>+++ b/include/uapi/linux/audit.h
> > >>@@ -327,6 +327,8 @@ enum {
> > >>  /* distinguish syscall tables */
> > >>  #define __AUDIT_ARCH_64BIT 0x80000000
> > >>  #define __AUDIT_ARCH_LE	   0x40000000
> > >>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> > >>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> > >>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> > >>diff --git a/init/Kconfig b/init/Kconfig
> > >>index 79383d3..3aae602 100644
> > >>--- a/init/Kconfig
> > >>+++ b/init/Kconfig
> > >>@@ -284,7 +284,7 @@ config AUDIT
> > >>
> > >>  config AUDITSYSCALL
> > >>  	bool "Enable system-call auditing support"
> > >>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> > >>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> > >
> > >The usual comment for such changes: could you please clean this up and
> > >just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> > 
> > Do you agree to this change?
> > 
> > If so, I can create a patch, but have some concerns:
> > 1) I can't verify it on other architectures than (arm &) arm64.
> > 2) Some architectures (microblaze, mips, openrisc) are not listed here, but
> >    their ptrace.c have a call to audit_syscall_entry/exit().
> >    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
> 
> I can try: ppc s390 x86_64 ppc64 i686 s390x

These arches above all pass compile and basic tests with the following patches applied:

	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)

	audit: Modify a set of system calls in audit class definitions (already upstream)

	[PATCH v3] audit: Add generic compat syscall support

	[PATCH v2] audit: Enable arm64 support
	[PATCH v2] arm64: Add regs_return_value() in syscall.h
	[PATCH v2] arm64: Add audit support
	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace

> > So I'm afraid that the change might break someone's assumption.
> > 
> > Thanks,
> > -Takahiro AKASHI
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 1/6] audit: Enable arm64 support

[AKASHI Takahiro]

Richard,

On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
> On 14/01/29, Richard Guy Briggs wrote:
>> On 14/01/27, AKASHI Takahiro wrote:
>>> [To audit maintainers]
>>>
>>> On 01/23/2014 11:18 PM, Catalin Marinas wrote:
>>>> On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
>>>>> --- a/include/uapi/linux/audit.h
>>>>> +++ b/include/uapi/linux/audit.h
>>>>> @@ -327,6 +327,8 @@ enum {
>>>>>   /* distinguish syscall tables */
>>>>>   #define __AUDIT_ARCH_64BIT 0x80000000
>>>>>   #define __AUDIT_ARCH_LE	   0x40000000
>>>>> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>>>> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
>>>>>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>>>>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>>>>>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
>>>>> diff --git a/init/Kconfig b/init/Kconfig
>>>>> index 79383d3..3aae602 100644
>>>>> --- a/init/Kconfig
>>>>> +++ b/init/Kconfig
>>>>> @@ -284,7 +284,7 @@ config AUDIT
>>>>>
>>>>>   config AUDITSYSCALL
>>>>>   	bool "Enable system-call auditing support"
>>>>> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
>>>>> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
>>>>
>>>> The usual comment for such changes: could you please clean this up and
>>>> just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
>>>
>>> Do you agree to this change?
>>>
>>> If so, I can create a patch, but have some concerns:
>>> 1) I can't verify it on other architectures than (arm &) arm64.
>>> 2) Some architectures (microblaze, mips, openrisc) are not listed here, but
>>>     their ptrace.c have a call to audit_syscall_entry/exit().
>>>     (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
>>
>> I can try: ppc s390 x86_64 ppc64 i686 s390x
>
> These arches above all pass compile and basic tests with the following patches applied:
>
> 	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
>
> 	audit: Modify a set of system calls in audit class definitions (already upstream)
>
> 	[PATCH v3] audit: Add generic compat syscall support
>
> 	[PATCH v2] audit: Enable arm64 support
> 	[PATCH v2] arm64: Add regs_return_value() in syscall.h
> 	[PATCH v2] arm64: Add audit support
> 	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
> 	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
> 	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace

I think that you missed Catalin's suggestion.
Please use the patch I will post after this message and try it again, please?

Thanks,
-Takahiro AKASHI



>>> So I'm afraid that the change might break someone's assumption.
>>>
>>> Thanks,
>>> -Takahiro AKASHI
>>
>> - RGB
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>

[PATCH v2 1/6] audit: Enable arm64 support

[AKASHI Takahiro]

Richard,

On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
> On 14/01/29, Richard Guy Briggs wrote:
>> On 14/01/27, AKASHI Takahiro wrote:
>>> [To audit maintainers]
>>>
>>> On 01/23/2014 11:18 PM, Catalin Marinas wrote:
>>>> On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
>>>>> --- a/include/uapi/linux/audit.h
>>>>> +++ b/include/uapi/linux/audit.h
>>>>> @@ -327,6 +327,8 @@ enum {
>>>>>   /* distinguish syscall tables */
>>>>>   #define __AUDIT_ARCH_64BIT 0x80000000
>>>>>   #define __AUDIT_ARCH_LE	   0x40000000
>>>>> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>>>> +#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
>>>>>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>>>>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>>>>>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
>>>>> diff --git a/init/Kconfig b/init/Kconfig
>>>>> index 79383d3..3aae602 100644
>>>>> --- a/init/Kconfig
>>>>> +++ b/init/Kconfig
>>>>> @@ -284,7 +284,7 @@ config AUDIT
>>>>>
>>>>>   config AUDITSYSCALL
>>>>>   	bool "Enable system-call auditing support"
>>>>> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
>>>>> +	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
>>>>
>>>> The usual comment for such changes: could you please clean this up and
>>>> just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
>>>
>>> Do you agree to this change?
>>>
>>> If so, I can create a patch, but have some concerns:
>>> 1) I can't verify it on other architectures than (arm &) arm64.
>>> 2) Some architectures (microblaze, mips, openrisc) are not listed here, but
>>>     their ptrace.c have a call to audit_syscall_entry/exit().
>>>     (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
>>
>> I can try: ppc s390 x86_64 ppc64 i686 s390x
>
> These arches above all pass compile and basic tests with the following patches applied:
>
> 	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
>
> 	audit: Modify a set of system calls in audit class definitions (already upstream)
>
> 	[PATCH v3] audit: Add generic compat syscall support
>
> 	[PATCH v2] audit: Enable arm64 support
> 	[PATCH v2] arm64: Add regs_return_value() in syscall.h
> 	[PATCH v2] arm64: Add audit support
> 	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
> 	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
> 	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace

I think that you missed Catalin's suggestion.
Please use the patch I will post after this message and try it again, please?

Thanks,
-Takahiro AKASHI



>>> So I'm afraid that the change might break someone's assumption.
>>>
>>> Thanks,
>>> -Takahiro AKASHI
>>
>> - RGB
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>

[PATCH] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 10 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index c1f1a7e..cf69f89 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -23,6 +23,7 @@ config ARM
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
 	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index 4e4119b..9143d91 100644
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -43,6 +43,7 @@ config IA64
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ARCH_USE_CMPXCHG_LOCKREF
+	select HAVE_ARCH_AUDITSYSCALL
 	default y
 	help
 	  The Itanium Processor Family is Intel's 64-bit successor to
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
index b5f1858..0821e83 100644
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -28,6 +28,7 @@ config PARISC
 	select CLONE_BACKWARDS
 	select TTY # Needed for pdc_cons.c
 	select HAVE_DEBUG_STACKOVERFLOW
+	select HAVE_ARCH_AUDITSYSCALL
 
 	help
 	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index b44b52c..96627d6 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -139,6 +139,7 @@ config PPC
 	select OLD_SIGACTION if PPC32
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK
+	select HAVE_ARCH_AUDITSYSCALL
 
 config GENERIC_CSUM
 	def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 1e1a03d..b3b9853 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -103,6 +103,7 @@ config S390
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
 	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 9b0979f..675fb7c 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -42,6 +42,7 @@ config SUPERH
 	select MODULES_USE_ELF_RELA
 	select OLD_SIGSUSPEND
 	select OLD_SIGACTION
+	select HAVE_ARCH_AUDITSYSCALL
 	help
 	  The SuperH is a RISC processor targeted for use in embedded systems
 	  and consumer electronics; it was also used in the Sega Dreamcast
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index d4f7a6a..7f7ad7e 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -76,6 +76,7 @@ config SPARC64
 	select ARCH_HAVE_NMI_SAFE_CMPXCHG
 	select HAVE_C_RECORDMCOUNT
 	select NO_BOOTMEM
+	select HAVE_ARCH_AUDITSYSCALL
 
 config ARCH_DEFCONFIG
 	string
diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
index 21ca44c..6915d28 100644
--- a/arch/um/Kconfig.common
+++ b/arch/um/Kconfig.common
@@ -1,6 +1,7 @@
 config UML
 	bool
 	default y
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_UID16
 	select GENERIC_IRQ_SHOW
 	select GENERIC_CPU_DEVICES
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index e903c71..6ef682f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -124,6 +124,7 @@ config X86
 	select RTC_LIB
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
+	select HAVE_ARCH_AUDITSYSCALL
 
 config INSTRUCTION_DECODER
 	def_bool y
diff --git a/init/Kconfig b/init/Kconfig
index 79383d3..9fe22d2 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -282,9 +282,12 @@ config AUDIT
 	  logging of avc messages output).  Does not do system-call
 	  auditing without CONFIG_AUDITSYSCALL.
 
+config HAVE_ARCH_AUDITSYSCALL
+	bool
+
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 10 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index c1f1a7e..cf69f89 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -23,6 +23,7 @@ config ARM
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
 	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index 4e4119b..9143d91 100644
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -43,6 +43,7 @@ config IA64
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ARCH_USE_CMPXCHG_LOCKREF
+	select HAVE_ARCH_AUDITSYSCALL
 	default y
 	help
 	  The Itanium Processor Family is Intel's 64-bit successor to
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
index b5f1858..0821e83 100644
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -28,6 +28,7 @@ config PARISC
 	select CLONE_BACKWARDS
 	select TTY # Needed for pdc_cons.c
 	select HAVE_DEBUG_STACKOVERFLOW
+	select HAVE_ARCH_AUDITSYSCALL
 
 	help
 	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index b44b52c..96627d6 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -139,6 +139,7 @@ config PPC
 	select OLD_SIGACTION if PPC32
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK
+	select HAVE_ARCH_AUDITSYSCALL
 
 config GENERIC_CSUM
 	def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 1e1a03d..b3b9853 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -103,6 +103,7 @@ config S390
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
 	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 9b0979f..675fb7c 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -42,6 +42,7 @@ config SUPERH
 	select MODULES_USE_ELF_RELA
 	select OLD_SIGSUSPEND
 	select OLD_SIGACTION
+	select HAVE_ARCH_AUDITSYSCALL
 	help
 	  The SuperH is a RISC processor targeted for use in embedded systems
 	  and consumer electronics; it was also used in the Sega Dreamcast
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index d4f7a6a..7f7ad7e 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -76,6 +76,7 @@ config SPARC64
 	select ARCH_HAVE_NMI_SAFE_CMPXCHG
 	select HAVE_C_RECORDMCOUNT
 	select NO_BOOTMEM
+	select HAVE_ARCH_AUDITSYSCALL
 
 config ARCH_DEFCONFIG
 	string
diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
index 21ca44c..6915d28 100644
--- a/arch/um/Kconfig.common
+++ b/arch/um/Kconfig.common
@@ -1,6 +1,7 @@
 config UML
 	bool
 	default y
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_UID16
 	select GENERIC_IRQ_SHOW
 	select GENERIC_CPU_DEVICES
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index e903c71..6ef682f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -124,6 +124,7 @@ config X86
 	select RTC_LIB
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
+	select HAVE_ARCH_AUDITSYSCALL
 
 config INSTRUCTION_DECODER
 	def_bool y
diff --git a/init/Kconfig b/init/Kconfig
index 79383d3..9fe22d2 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -282,9 +282,12 @@ config AUDIT
 	  logging of avc messages output).  Does not do system-call
 	  auditing without CONFIG_AUDITSYSCALL.
 
+config HAVE_ARCH_AUDITSYSCALL
+	bool
+
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
+	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH v3 0/3] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "generic compat system call audit support" patch
* "correct a type mismatch in audit_syscall_exit()" patch
   (already accepted and queued in 3.14)
* "Modify a set of system calls in audit class" patch
   (already accepted and queued in 3.14)
* "__NR_* definitions for compat syscalls" patch from Catalin
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

AKASHI Takahiro (3):
  arm64: Add regs_return_value() in syscall.h
  arm64: Add audit support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig                   |    1 +
 arch/arm64/include/asm/ptrace.h      |    5 +++++
 arch/arm64/include/asm/syscall.h     |   15 +++++++++++++++
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   10 ++++++++++
 include/uapi/linux/audit.h           |    1 +
 7 files changed, 36 insertions(+)

-- 
1.7.9.5

[PATCH v3 0/3] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "generic compat system call audit support" patch
* "correct a type mismatch in audit_syscall_exit()" patch
   (already accepted and queued in 3.14)
* "Modify a set of system calls in audit class" patch
   (already accepted and queued in 3.14)
* "__NR_* definitions for compat syscalls" patch from Catalin
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

AKASHI Takahiro (3):
  arm64: Add regs_return_value() in syscall.h
  arm64: Add audit support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig                   |    1 +
 arch/arm64/include/asm/ptrace.h      |    5 +++++
 arch/arm64/include/asm/syscall.h     |   15 +++++++++++++++
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   10 ++++++++++
 include/uapi/linux/audit.h           |    1 +
 7 files changed, 36 insertions(+)

-- 
1.7.9.5

[PATCH v3 1/3] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v3 1/3] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v3 2/3] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 6d4dd22..3c21405 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -19,6 +19,7 @@ config ARM64
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_DEBUG_BUGVERBOSE
 	select HAVE_DEBUG_KMEMLEAK
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..6900183 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 0a73cf3..cf27cae 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -327,6 +327,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v3 2/3] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 6d4dd22..3c21405 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -19,6 +19,7 @@ config ARM64
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_DEBUG_BUGVERBOSE
 	select HAVE_DEBUG_KMEMLEAK
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..6900183 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 0a73cf3..cf27cae 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -327,6 +327,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v3 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   10 ++++++++++
 3 files changed, 14 insertions(+)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..7468388 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 827cbad..83c4b29 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -630,6 +630,9 @@ el0_svc_naked:					// compat entry point
 	get_thread_info tsk
 	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
 	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+#ifdef CONFIG_AUDITSYSCALL
+	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
+#endif
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6777a21..75a3f23 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+	if (dir)
+		audit_syscall_exit(regs);
+	else
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
+
 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
 		return regs->syscallno;
 
-- 
1.7.9.5

[PATCH v3 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |    1 +
 arch/arm64/kernel/entry.S            |    3 +++
 arch/arm64/kernel/ptrace.c           |   10 ++++++++++
 3 files changed, 14 insertions(+)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..7468388 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 827cbad..83c4b29 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -630,6 +630,9 @@ el0_svc_naked:					// compat entry point
 	get_thread_info tsk
 	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
 	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+#ifdef CONFIG_AUDITSYSCALL
+	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
+#endif
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6777a21..75a3f23 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+	if (dir)
+		audit_syscall_exit(regs);
+	else
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
+
 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
 		return regs->syscallno;
 
-- 
1.7.9.5

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/02/03, AKASHI Takahiro wrote:
> Richard,

Takahiro,

> On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
> >On 14/01/29, Richard Guy Briggs wrote:
> >>On 14/01/27, AKASHI Takahiro wrote:
> >>>[To audit maintainers]
> >>>
> >>>On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> >>>>On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> >>>>>--- a/include/uapi/linux/audit.h
> >>>>>+++ b/include/uapi/linux/audit.h
> >>>>>@@ -327,6 +327,8 @@ enum {
> >>>>>  /* distinguish syscall tables */
> >>>>>  #define __AUDIT_ARCH_64BIT 0x80000000
> >>>>>  #define __AUDIT_ARCH_LE	   0x40000000
> >>>>>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>>>>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> >>>>>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>>>>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >>>>>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> >>>>>diff --git a/init/Kconfig b/init/Kconfig
> >>>>>index 79383d3..3aae602 100644
> >>>>>--- a/init/Kconfig
> >>>>>+++ b/init/Kconfig
> >>>>>@@ -284,7 +284,7 @@ config AUDIT
> >>>>>
> >>>>>  config AUDITSYSCALL
> >>>>>  	bool "Enable system-call auditing support"
> >>>>>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> >>>>>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> >>>>
> >>>>The usual comment for such changes: could you please clean this up and
> >>>>just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> >>>
> >>>Do you agree to this change?
> >>>
> >>>If so, I can create a patch, but have some concerns:
> >>>1) I can't verify it on other architectures than (arm &) arm64.
> >>>2) Some architectures (microblaze, mips, openrisc) are not listed here, but
> >>>    their ptrace.c have a call to audit_syscall_entry/exit().
> >>>    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
> >>
> >>I can try: ppc s390 x86_64 ppc64 i686 s390x
> >
> >These arches above all pass compile and basic tests with the following patches applied:
> >
> >	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
> >
> >	audit: Modify a set of system calls in audit class definitions (already upstream)
> >
> >	[PATCH v3] audit: Add generic compat syscall support
> >
> >	[PATCH v2] audit: Enable arm64 support
> >	[PATCH v2] arm64: Add regs_return_value() in syscall.h
> >	[PATCH v2] arm64: Add audit support
> >	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
> >	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
> >	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace
> 
> I think that you missed Catalin's suggestion.

I didn't miss his suggestions.  I think they are a good way to go, but I
wanted to make a test at referrable point in time to validate the work
to that point and to avoid introducing errors by mis-interpreting ideas
that were not yet fully-formed patches.

> Please use the patch I will post after this message and try it again, please?

I was certainly intending to do so.

> Thanks,
> -Takahiro AKASHI
> 
> >>>So I'm afraid that the change might break someone's assumption.
> >>>
> >>>Thanks,
> >>>-Takahiro AKASHI
> >>
> >>- RGB
> >
> >- RGB
> >
> >--
> >Richard Guy Briggs <rbriggs@redhat.com>
> >Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> >Remote, Ottawa, Canada
> >Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
> >

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/02/03, AKASHI Takahiro wrote:
> Richard,

Takahiro,

> On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
> >On 14/01/29, Richard Guy Briggs wrote:
> >>On 14/01/27, AKASHI Takahiro wrote:
> >>>[To audit maintainers]
> >>>
> >>>On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> >>>>On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> >>>>>--- a/include/uapi/linux/audit.h
> >>>>>+++ b/include/uapi/linux/audit.h
> >>>>>@@ -327,6 +327,8 @@ enum {
> >>>>>  /* distinguish syscall tables */
> >>>>>  #define __AUDIT_ARCH_64BIT 0x80000000
> >>>>>  #define __AUDIT_ARCH_LE	   0x40000000
> >>>>>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>>>>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> >>>>>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> >>>>>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> >>>>>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> >>>>>diff --git a/init/Kconfig b/init/Kconfig
> >>>>>index 79383d3..3aae602 100644
> >>>>>--- a/init/Kconfig
> >>>>>+++ b/init/Kconfig
> >>>>>@@ -284,7 +284,7 @@ config AUDIT
> >>>>>
> >>>>>  config AUDITSYSCALL
> >>>>>  	bool "Enable system-call auditing support"
> >>>>>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> >>>>>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> >>>>
> >>>>The usual comment for such changes: could you please clean this up and
> >>>>just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> >>>
> >>>Do you agree to this change?
> >>>
> >>>If so, I can create a patch, but have some concerns:
> >>>1) I can't verify it on other architectures than (arm &) arm64.
> >>>2) Some architectures (microblaze, mips, openrisc) are not listed here, but
> >>>    their ptrace.c have a call to audit_syscall_entry/exit().
> >>>    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
> >>
> >>I can try: ppc s390 x86_64 ppc64 i686 s390x
> >
> >These arches above all pass compile and basic tests with the following patches applied:
> >
> >	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
> >
> >	audit: Modify a set of system calls in audit class definitions (already upstream)
> >
> >	[PATCH v3] audit: Add generic compat syscall support
> >
> >	[PATCH v2] audit: Enable arm64 support
> >	[PATCH v2] arm64: Add regs_return_value() in syscall.h
> >	[PATCH v2] arm64: Add audit support
> >	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
> >	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
> >	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace
> 
> I think that you missed Catalin's suggestion.

I didn't miss his suggestions.  I think they are a good way to go, but I
wanted to make a test at referrable point in time to validate the work
to that point and to avoid introducing errors by mis-interpreting ideas
that were not yet fully-formed patches.

> Please use the patch I will post after this message and try it again, please?

I was certainly intending to do so.

> Thanks,
> -Takahiro AKASHI
> 
> >>>So I'm afraid that the change might break someone's assumption.
> >>>
> >>>Thanks,
> >>>-Takahiro AKASHI
> >>
> >>- RGB
> >
> >- RGB
> >
> >--
> >Richard Guy Briggs <rbriggs@redhat.com>
> >Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> >Remote, Ottawa, Canada
> >Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
> >

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/02/03, Richard Guy Briggs wrote:
> On 14/02/03, AKASHI Takahiro wrote:
> > Richard,
> 
> Takahiro,

Takahiro,

> > On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
> > >On 14/01/29, Richard Guy Briggs wrote:
> > >>On 14/01/27, AKASHI Takahiro wrote:
> > >>>[To audit maintainers]
> > >>>
> > >>>On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> > >>>>On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> > >>>>>--- a/include/uapi/linux/audit.h
> > >>>>>+++ b/include/uapi/linux/audit.h
> > >>>>>@@ -327,6 +327,8 @@ enum {
> > >>>>>  /* distinguish syscall tables */
> > >>>>>  #define __AUDIT_ARCH_64BIT 0x80000000
> > >>>>>  #define __AUDIT_ARCH_LE	   0x40000000
> > >>>>>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>>>>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> > >>>>>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>>>>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> > >>>>>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> > >>>>>diff --git a/init/Kconfig b/init/Kconfig
> > >>>>>index 79383d3..3aae602 100644
> > >>>>>--- a/init/Kconfig
> > >>>>>+++ b/init/Kconfig
> > >>>>>@@ -284,7 +284,7 @@ config AUDIT
> > >>>>>
> > >>>>>  config AUDITSYSCALL
> > >>>>>  	bool "Enable system-call auditing support"
> > >>>>>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> > >>>>>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> > >>>>
> > >>>>The usual comment for such changes: could you please clean this up and
> > >>>>just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> > >>>
> > >>>Do you agree to this change?
> > >>>
> > >>>If so, I can create a patch, but have some concerns:
> > >>>1) I can't verify it on other architectures than (arm &) arm64.
> > >>>2) Some architectures (microblaze, mips, openrisc) are not listed here, but
> > >>>    their ptrace.c have a call to audit_syscall_entry/exit().
> > >>>    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
> > >>
> > >>I can try: ppc s390 x86_64 ppc64 i686 s390x
> > >
> > >These arches above all pass compile and basic tests with the following patches applied:
> > >
> > >	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
> > >
> > >	audit: Modify a set of system calls in audit class definitions (already upstream)
> > >
> > >	[PATCH v3] audit: Add generic compat syscall support
> > >
> > >	[PATCH v2] audit: Enable arm64 support
> > >	[PATCH v2] arm64: Add regs_return_value() in syscall.h
> > >	[PATCH v2] arm64: Add audit support
> > >	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
> > >	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
> > >	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace
> > 
> > I think that you missed Catalin's suggestion.
> 
> I didn't miss his suggestions.  I think they are a good way to go, but I
> wanted to make a test at referrable point in time to validate the work
> to that point and to avoid introducing errors by mis-interpreting ideas
> that were not yet fully-formed patches.
> 
> > Please use the patch I will post after this message and try it again, please?
> 
> I was certainly intending to do so.

I have tested the new sets from Catalin and you and everything passes ok.

> > Thanks,
> > -Takahiro AKASHI
> > 
> > >>>So I'm afraid that the change might break someone's assumption.
> > >>>
> > >>>Thanks,
> > >>>-Takahiro AKASHI
> > >>
> > >>- RGB
> > >
> > >- RGB
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/02/03, Richard Guy Briggs wrote:
> On 14/02/03, AKASHI Takahiro wrote:
> > Richard,
> 
> Takahiro,

Takahiro,

> > On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
> > >On 14/01/29, Richard Guy Briggs wrote:
> > >>On 14/01/27, AKASHI Takahiro wrote:
> > >>>[To audit maintainers]
> > >>>
> > >>>On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> > >>>>On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> > >>>>>--- a/include/uapi/linux/audit.h
> > >>>>>+++ b/include/uapi/linux/audit.h
> > >>>>>@@ -327,6 +327,8 @@ enum {
> > >>>>>  /* distinguish syscall tables */
> > >>>>>  #define __AUDIT_ARCH_64BIT 0x80000000
> > >>>>>  #define __AUDIT_ARCH_LE	   0x40000000
> > >>>>>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>>>>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> > >>>>>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>>>>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> > >>>>>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> > >>>>>diff --git a/init/Kconfig b/init/Kconfig
> > >>>>>index 79383d3..3aae602 100644
> > >>>>>--- a/init/Kconfig
> > >>>>>+++ b/init/Kconfig
> > >>>>>@@ -284,7 +284,7 @@ config AUDIT
> > >>>>>
> > >>>>>  config AUDITSYSCALL
> > >>>>>  	bool "Enable system-call auditing support"
> > >>>>>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> > >>>>>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> > >>>>
> > >>>>The usual comment for such changes: could you please clean this up and
> > >>>>just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> > >>>
> > >>>Do you agree to this change?
> > >>>
> > >>>If so, I can create a patch, but have some concerns:
> > >>>1) I can't verify it on other architectures than (arm &) arm64.
> > >>>2) Some architectures (microblaze, mips, openrisc) are not listed here, but
> > >>>    their ptrace.c have a call to audit_syscall_entry/exit().
> > >>>    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
> > >>
> > >>I can try: ppc s390 x86_64 ppc64 i686 s390x
> > >
> > >These arches above all pass compile and basic tests with the following patches applied:
> > >
> > >	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
> > >
> > >	audit: Modify a set of system calls in audit class definitions (already upstream)
> > >
> > >	[PATCH v3] audit: Add generic compat syscall support
> > >
> > >	[PATCH v2] audit: Enable arm64 support
> > >	[PATCH v2] arm64: Add regs_return_value() in syscall.h
> > >	[PATCH v2] arm64: Add audit support
> > >	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
> > >	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
> > >	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace
> > 
> > I think that you missed Catalin's suggestion.
> 
> I didn't miss his suggestions.  I think they are a good way to go, but I
> wanted to make a test at referrable point in time to validate the work
> to that point and to avoid introducing errors by mis-interpreting ideas
> that were not yet fully-formed patches.
> 
> > Please use the patch I will post after this message and try it again, please?
> 
> I was certainly intending to do so.

I have tested the new sets from Catalin and you and everything passes ok.

> > Thanks,
> > -Takahiro AKASHI
> > 
> > >>>So I'm afraid that the change might break someone's assumption.
> > >>>
> > >>>Thanks,
> > >>>-Takahiro AKASHI
> > >>
> > >>- RGB
> > >
> > >- RGB
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v2 1/6] audit: Enable arm64 support

[Richard Guy Briggs]

On 14/02/03, Richard Guy Briggs wrote:
> On 14/02/03, AKASHI Takahiro wrote:
> > Richard,
> 
> Takahiro,

Takahiro,

> > On 01/30/2014 07:36 AM, Richard Guy Briggs wrote:
> > >On 14/01/29, Richard Guy Briggs wrote:
> > >>On 14/01/27, AKASHI Takahiro wrote:
> > >>>[To audit maintainers]
> > >>>
> > >>>On 01/23/2014 11:18 PM, Catalin Marinas wrote:
> > >>>>On Fri, Jan 17, 2014 at 08:13:14AM +0000, AKASHI Takahiro wrote:
> > >>>>>--- a/include/uapi/linux/audit.h
> > >>>>>+++ b/include/uapi/linux/audit.h
> > >>>>>@@ -327,6 +327,8 @@ enum {
> > >>>>>  /* distinguish syscall tables */
> > >>>>>  #define __AUDIT_ARCH_64BIT 0x80000000
> > >>>>>  #define __AUDIT_ARCH_LE	   0x40000000
> > >>>>>+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>>>>+#define AUDIT_ARCH_AARCH64EB	(EM_AARCH64|__AUDIT_ARCH_64BIT)
> > >>>>>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
> > >>>>>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
> > >>>>>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> > >>>>>diff --git a/init/Kconfig b/init/Kconfig
> > >>>>>index 79383d3..3aae602 100644
> > >>>>>--- a/init/Kconfig
> > >>>>>+++ b/init/Kconfig
> > >>>>>@@ -284,7 +284,7 @@ config AUDIT
> > >>>>>
> > >>>>>  config AUDITSYSCALL
> > >>>>>  	bool "Enable system-call auditing support"
> > >>>>>-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT))
> > >>>>>+	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ARM64)
> > >>>>
> > >>>>The usual comment for such changes: could you please clean this up and
> > >>>>just use something like "depends on HAVE_ARCH_AUDITSYSCALL"?
> > >>>
> > >>>Do you agree to this change?
> > >>>
> > >>>If so, I can create a patch, but have some concerns:
> > >>>1) I can't verify it on other architectures than (arm &) arm64.
> > >>>2) Some architectures (microblaze, mips, openrisc) are not listed here, but
> > >>>    their ptrace.c have a call to audit_syscall_entry/exit().
> > >>>    (audit_syscall_entry/exit are null if !AUDITSYSCALL, though)
> > >>
> > >>I can try: ppc s390 x86_64 ppc64 i686 s390x
> > >
> > >These arches above all pass compile and basic tests with the following patches applied:
> > >
> > >	audit: correct a type mismatch in audit_syscall_exit() pending (already upstream)
> > >
> > >	audit: Modify a set of system calls in audit class definitions (already upstream)
> > >
> > >	[PATCH v3] audit: Add generic compat syscall support
> > >
> > >	[PATCH v2] audit: Enable arm64 support
> > >	[PATCH v2] arm64: Add regs_return_value() in syscall.h
> > >	[PATCH v2] arm64: Add audit support
> > >	[PATCH v2] arm64: audit: Add 32-bit (compat) syscall support
> > >	[PATCH v2] arm64: audit: Add makefile rule to create unistd_32.h for compat syscalls
> > >	[PATCH v2] arm64: audit: Add audit hook in ptrace/syscall_trace
> > 
> > I think that you missed Catalin's suggestion.
> 
> I didn't miss his suggestions.  I think they are a good way to go, but I
> wanted to make a test at referrable point in time to validate the work
> to that point and to avoid introducing errors by mis-interpreting ideas
> that were not yet fully-formed patches.
> 
> > Please use the patch I will post after this message and try it again, please?
> 
> I was certainly intending to do so.

I have tested the new sets from Catalin and you and everything passes ok.

> > Thanks,
> > -Takahiro AKASHI
> > 
> > >>>So I'm afraid that the change might break someone's assumption.
> > >>>
> > >>>Thanks,
> > >>>-Takahiro AKASHI
> > >>
> > >>- RGB
> > >
> > >- RGB
> 
> - RGB

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v3 1/3] arm64: Add regs_return_value() in syscall.h

[Will Deacon]

On Mon, Feb 03, 2014 at 06:56:28AM +0000, AKASHI Takahiro wrote:
> This macro, regs_return_value, is used mainly for audit to record system
> call's results, but may also be used in test_kprobes.c.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v3 1/3] arm64: Add regs_return_value() in syscall.h

[Will Deacon]

On Mon, Feb 03, 2014 at 06:56:28AM +0000, AKASHI Takahiro wrote:
> This macro, regs_return_value, is used mainly for audit to record system
> call's results, but may also be used in test_kprobes.c.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

[PATCH v3 1/3] arm64: Add regs_return_value() in syscall.h

[Will Deacon]

On Mon, Feb 03, 2014 at 06:56:28AM +0000, AKASHI Takahiro wrote:
> This macro, regs_return_value, is used mainly for audit to record system
> call's results, but may also be used in test_kprobes.c.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v3 2/3] arm64: Add audit support

[Will Deacon]

On Mon, Feb 03, 2014 at 06:56:29AM +0000, AKASHI Takahiro wrote:
> On AArch64, audit is supported through generic lib/audit.c and
> compat_audit.c, and so this patch adds arch specific definitions required.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/Kconfig               |    1 +
>  arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>  include/uapi/linux/audit.h       |    1 +
>  3 files changed, 17 insertions(+)

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v3 2/3] arm64: Add audit support

[Will Deacon]

On Mon, Feb 03, 2014 at 06:56:29AM +0000, AKASHI Takahiro wrote:
> On AArch64, audit is supported through generic lib/audit.c and
> compat_audit.c, and so this patch adds arch specific definitions required.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/Kconfig               |    1 +
>  arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>  include/uapi/linux/audit.h       |    1 +
>  3 files changed, 17 insertions(+)

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

[PATCH v3 2/3] arm64: Add audit support

[Will Deacon]

On Mon, Feb 03, 2014 at 06:56:29AM +0000, AKASHI Takahiro wrote:
> On AArch64, audit is supported through generic lib/audit.c and
> compat_audit.c, and so this patch adds arch specific definitions required.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/Kconfig               |    1 +
>  arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>  include/uapi/linux/audit.h       |    1 +
>  3 files changed, 17 insertions(+)

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v3 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[Will Deacon]

On Mon, Feb 03, 2014 at 06:56:30AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/include/asm/thread_info.h |    1 +
>  arch/arm64/kernel/entry.S            |    3 +++
>  arch/arm64/kernel/ptrace.c           |   10 ++++++++++
>  3 files changed, 14 insertions(+)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..7468388 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h
> @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
>  #define TIF_NEED_RESCHED	1
>  #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>  #define TIF_SYSCALL_TRACE	8
> +#define TIF_SYSCALL_AUDIT	9
>  #define TIF_POLLING_NRFLAG	16
>  #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>  #define TIF_FREEZE		19
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 827cbad..83c4b29 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -630,6 +630,9 @@ el0_svc_naked:					// compat entry point
>  	get_thread_info tsk
>  	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
>  	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +#ifdef CONFIG_AUDITSYSCALL
> +	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
> +#endif

Could we avoid the back-to-back tbnz instructions with a single mask? It's
not obvious that it will end up any better, but it would be good to know.

>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6777a21..75a3f23 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -19,6 +19,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/audit.h>
>  #include <linux/kernel.h>
>  #include <linux/sched.h>
>  #include <linux/mm.h>
> @@ -38,6 +39,7 @@
>  #include <asm/compat.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/pgtable.h>
> +#include <asm/syscall.h>
>  #include <asm/traps.h>
>  #include <asm/system_misc.h>
>  
> @@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> +	if (dir)
> +		audit_syscall_exit(regs);
> +	else
> +		audit_syscall_entry(syscall_get_arch(current, regs),
> +			(int)regs->syscallno,
> +			regs->orig_x0, regs->regs[1],
> +			regs->regs[2], regs->regs[3]);
> +

Do we really want to perform the audit checks before the tracehook calls?
Remember that the latter can rewrite all of the registers.

Will

Re: [PATCH v3 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[Will Deacon]

On Mon, Feb 03, 2014 at 06:56:30AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/include/asm/thread_info.h |    1 +
>  arch/arm64/kernel/entry.S            |    3 +++
>  arch/arm64/kernel/ptrace.c           |   10 ++++++++++
>  3 files changed, 14 insertions(+)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..7468388 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h
> @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
>  #define TIF_NEED_RESCHED	1
>  #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>  #define TIF_SYSCALL_TRACE	8
> +#define TIF_SYSCALL_AUDIT	9
>  #define TIF_POLLING_NRFLAG	16
>  #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>  #define TIF_FREEZE		19
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 827cbad..83c4b29 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -630,6 +630,9 @@ el0_svc_naked:					// compat entry point
>  	get_thread_info tsk
>  	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
>  	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +#ifdef CONFIG_AUDITSYSCALL
> +	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
> +#endif

Could we avoid the back-to-back tbnz instructions with a single mask? It's
not obvious that it will end up any better, but it would be good to know.

>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6777a21..75a3f23 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -19,6 +19,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/audit.h>
>  #include <linux/kernel.h>
>  #include <linux/sched.h>
>  #include <linux/mm.h>
> @@ -38,6 +39,7 @@
>  #include <asm/compat.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/pgtable.h>
> +#include <asm/syscall.h>
>  #include <asm/traps.h>
>  #include <asm/system_misc.h>
>  
> @@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> +	if (dir)
> +		audit_syscall_exit(regs);
> +	else
> +		audit_syscall_entry(syscall_get_arch(current, regs),
> +			(int)regs->syscallno,
> +			regs->orig_x0, regs->regs[1],
> +			regs->regs[2], regs->regs[3]);
> +

Do we really want to perform the audit checks before the tracehook calls?
Remember that the latter can rewrite all of the registers.

Will

[PATCH v3 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[Will Deacon]

On Mon, Feb 03, 2014 at 06:56:30AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/include/asm/thread_info.h |    1 +
>  arch/arm64/kernel/entry.S            |    3 +++
>  arch/arm64/kernel/ptrace.c           |   10 ++++++++++
>  3 files changed, 14 insertions(+)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..7468388 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h
> @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
>  #define TIF_NEED_RESCHED	1
>  #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>  #define TIF_SYSCALL_TRACE	8
> +#define TIF_SYSCALL_AUDIT	9
>  #define TIF_POLLING_NRFLAG	16
>  #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>  #define TIF_FREEZE		19
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 827cbad..83c4b29 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -630,6 +630,9 @@ el0_svc_naked:					// compat entry point
>  	get_thread_info tsk
>  	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
>  	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +#ifdef CONFIG_AUDITSYSCALL
> +	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
> +#endif

Could we avoid the back-to-back tbnz instructions with a single mask? It's
not obvious that it will end up any better, but it would be good to know.

>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6777a21..75a3f23 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -19,6 +19,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/audit.h>
>  #include <linux/kernel.h>
>  #include <linux/sched.h>
>  #include <linux/mm.h>
> @@ -38,6 +39,7 @@
>  #include <asm/compat.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/pgtable.h>
> +#include <asm/syscall.h>
>  #include <asm/traps.h>
>  #include <asm/system_misc.h>
>  
> @@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> +	if (dir)
> +		audit_syscall_exit(regs);
> +	else
> +		audit_syscall_entry(syscall_get_arch(current, regs),
> +			(int)regs->syscallno,
> +			regs->orig_x0, regs->regs[1],
> +			regs->regs[2], regs->regs[3]);
> +

Do we really want to perform the audit checks before the tracehook calls?
Remember that the latter can rewrite all of the registers.

Will

Re: [PATCH v3 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

On 02/05/2014 02:31 AM, Will Deacon wrote:
> On Mon, Feb 03, 2014 at 06:56:30AM +0000, AKASHI Takahiro wrote:
>> This patch adds auditing functions on entry to or exit from
>> every system call invocation.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/include/asm/thread_info.h |    1 +
>>   arch/arm64/kernel/entry.S            |    3 +++
>>   arch/arm64/kernel/ptrace.c           |   10 ++++++++++
>>   3 files changed, 14 insertions(+)
>>
>> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
>> index 720e70b..7468388 100644
>> --- a/arch/arm64/include/asm/thread_info.h
>> +++ b/arch/arm64/include/asm/thread_info.h
>> @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
>>   #define TIF_NEED_RESCHED	1
>>   #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>>   #define TIF_SYSCALL_TRACE	8
>> +#define TIF_SYSCALL_AUDIT	9
>>   #define TIF_POLLING_NRFLAG	16
>>   #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>>   #define TIF_FREEZE		19
>> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
>> index 827cbad..83c4b29 100644
>> --- a/arch/arm64/kernel/entry.S
>> +++ b/arch/arm64/kernel/entry.S
>> @@ -630,6 +630,9 @@ el0_svc_naked:					// compat entry point
>>   	get_thread_info tsk
>>   	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
>>   	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
>> +#ifdef CONFIG_AUDITSYSCALL
>> +	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
>> +#endif
>
> Could we avoid the back-to-back tbnz instructions with a single mask? It's
> not obvious that it will end up any better, but it would be good to know.

When first implementing ftrace support, TIF_SYSCALL_TRACEPOINT is defined as 10
and 'tst' instruction doesn't allow the following code:
     tst x16, #(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_TRACEPOINT)

That is why I've used "back-to-back" tbnz since then, but now that I'm going to
submit ftrace, audit and later seccomp, I will replace it with:
     #define TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE|TRACEPOINT|AUDIT|SECCOMP)

     tst x16, #TIF_SYSCALL_WORK
     b.ne __syscall_trace


>>   	adr	lr, ret_fast_syscall		// return address
>>   	cmp     scno, sc_nr                     // check upper syscall limit
>>   	b.hs	ni_sys
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6777a21..75a3f23 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -19,6 +19,7 @@
>>    * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>>    */
>>
>> +#include <linux/audit.h>
>>   #include <linux/kernel.h>
>>   #include <linux/sched.h>
>>   #include <linux/mm.h>
>> @@ -38,6 +39,7 @@
>>   #include <asm/compat.h>
>>   #include <asm/debug-monitors.h>
>>   #include <asm/pgtable.h>
>> +#include <asm/syscall.h>
>>   #include <asm/traps.h>
>>   #include <asm/system_misc.h>
>>
>> @@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>> +	if (dir)
>> +		audit_syscall_exit(regs);
>> +	else
>> +		audit_syscall_entry(syscall_get_arch(current, regs),
>> +			(int)regs->syscallno,
>> +			regs->orig_x0, regs->regs[1],
>> +			regs->regs[2], regs->regs[3]);
>> +
>
> Do we really want to perform the audit checks before the tracehook calls?
> Remember that the latter can rewrite all of the registers.

OK. I will change the code to make calls in the following order:
On entry,
    *secure_computing
    *tracehook_report_syscall(ENTER)
    *trace_sys_enter
    *audit_syscall_entry
On exit,
    *audit_syscall_exit
    *trace_sys_exit
    *tracehook_report_syscall(EXIT)

The order here is the exact same as on x86, but such change might
decrease the readability in syscall_trace().

Thanks,
-Takahiro AKASHI

> Will
>

Re: [PATCH v3 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

On 02/05/2014 02:31 AM, Will Deacon wrote:
> On Mon, Feb 03, 2014 at 06:56:30AM +0000, AKASHI Takahiro wrote:
>> This patch adds auditing functions on entry to or exit from
>> every system call invocation.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/include/asm/thread_info.h |    1 +
>>   arch/arm64/kernel/entry.S            |    3 +++
>>   arch/arm64/kernel/ptrace.c           |   10 ++++++++++
>>   3 files changed, 14 insertions(+)
>>
>> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
>> index 720e70b..7468388 100644
>> --- a/arch/arm64/include/asm/thread_info.h
>> +++ b/arch/arm64/include/asm/thread_info.h
>> @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
>>   #define TIF_NEED_RESCHED	1
>>   #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>>   #define TIF_SYSCALL_TRACE	8
>> +#define TIF_SYSCALL_AUDIT	9
>>   #define TIF_POLLING_NRFLAG	16
>>   #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>>   #define TIF_FREEZE		19
>> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
>> index 827cbad..83c4b29 100644
>> --- a/arch/arm64/kernel/entry.S
>> +++ b/arch/arm64/kernel/entry.S
>> @@ -630,6 +630,9 @@ el0_svc_naked:					// compat entry point
>>   	get_thread_info tsk
>>   	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
>>   	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
>> +#ifdef CONFIG_AUDITSYSCALL
>> +	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
>> +#endif
>
> Could we avoid the back-to-back tbnz instructions with a single mask? It's
> not obvious that it will end up any better, but it would be good to know.

When first implementing ftrace support, TIF_SYSCALL_TRACEPOINT is defined as 10
and 'tst' instruction doesn't allow the following code:
     tst x16, #(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_TRACEPOINT)

That is why I've used "back-to-back" tbnz since then, but now that I'm going to
submit ftrace, audit and later seccomp, I will replace it with:
     #define TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE|TRACEPOINT|AUDIT|SECCOMP)

     tst x16, #TIF_SYSCALL_WORK
     b.ne __syscall_trace


>>   	adr	lr, ret_fast_syscall		// return address
>>   	cmp     scno, sc_nr                     // check upper syscall limit
>>   	b.hs	ni_sys
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6777a21..75a3f23 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -19,6 +19,7 @@
>>    * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>>    */
>>
>> +#include <linux/audit.h>
>>   #include <linux/kernel.h>
>>   #include <linux/sched.h>
>>   #include <linux/mm.h>
>> @@ -38,6 +39,7 @@
>>   #include <asm/compat.h>
>>   #include <asm/debug-monitors.h>
>>   #include <asm/pgtable.h>
>> +#include <asm/syscall.h>
>>   #include <asm/traps.h>
>>   #include <asm/system_misc.h>
>>
>> @@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>> +	if (dir)
>> +		audit_syscall_exit(regs);
>> +	else
>> +		audit_syscall_entry(syscall_get_arch(current, regs),
>> +			(int)regs->syscallno,
>> +			regs->orig_x0, regs->regs[1],
>> +			regs->regs[2], regs->regs[3]);
>> +
>
> Do we really want to perform the audit checks before the tracehook calls?
> Remember that the latter can rewrite all of the registers.

OK. I will change the code to make calls in the following order:
On entry,
    *secure_computing
    *tracehook_report_syscall(ENTER)
    *trace_sys_enter
    *audit_syscall_entry
On exit,
    *audit_syscall_exit
    *trace_sys_exit
    *tracehook_report_syscall(EXIT)

The order here is the exact same as on x86, but such change might
decrease the readability in syscall_trace().

Thanks,
-Takahiro AKASHI

> Will
>

[PATCH v3 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

On 02/05/2014 02:31 AM, Will Deacon wrote:
> On Mon, Feb 03, 2014 at 06:56:30AM +0000, AKASHI Takahiro wrote:
>> This patch adds auditing functions on entry to or exit from
>> every system call invocation.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/include/asm/thread_info.h |    1 +
>>   arch/arm64/kernel/entry.S            |    3 +++
>>   arch/arm64/kernel/ptrace.c           |   10 ++++++++++
>>   3 files changed, 14 insertions(+)
>>
>> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
>> index 720e70b..7468388 100644
>> --- a/arch/arm64/include/asm/thread_info.h
>> +++ b/arch/arm64/include/asm/thread_info.h
>> @@ -101,6 +101,7 @@ static inline struct thread_info *current_thread_info(void)
>>   #define TIF_NEED_RESCHED	1
>>   #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>>   #define TIF_SYSCALL_TRACE	8
>> +#define TIF_SYSCALL_AUDIT	9
>>   #define TIF_POLLING_NRFLAG	16
>>   #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>>   #define TIF_FREEZE		19
>> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
>> index 827cbad..83c4b29 100644
>> --- a/arch/arm64/kernel/entry.S
>> +++ b/arch/arm64/kernel/entry.S
>> @@ -630,6 +630,9 @@ el0_svc_naked:					// compat entry point
>>   	get_thread_info tsk
>>   	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
>>   	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
>> +#ifdef CONFIG_AUDITSYSCALL
>> +	tbnz	x16, #TIF_SYSCALL_AUDIT, __sys_trace // auditing syscalls?
>> +#endif
>
> Could we avoid the back-to-back tbnz instructions with a single mask? It's
> not obvious that it will end up any better, but it would be good to know.

When first implementing ftrace support, TIF_SYSCALL_TRACEPOINT is defined as 10
and 'tst' instruction doesn't allow the following code:
     tst x16, #(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_TRACEPOINT)

That is why I've used "back-to-back" tbnz since then, but now that I'm going to
submit ftrace, audit and later seccomp, I will replace it with:
     #define TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE|TRACEPOINT|AUDIT|SECCOMP)

     tst x16, #TIF_SYSCALL_WORK
     b.ne __syscall_trace


>>   	adr	lr, ret_fast_syscall		// return address
>>   	cmp     scno, sc_nr                     // check upper syscall limit
>>   	b.hs	ni_sys
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6777a21..75a3f23 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -19,6 +19,7 @@
>>    * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>>    */
>>
>> +#include <linux/audit.h>
>>   #include <linux/kernel.h>
>>   #include <linux/sched.h>
>>   #include <linux/mm.h>
>> @@ -38,6 +39,7 @@
>>   #include <asm/compat.h>
>>   #include <asm/debug-monitors.h>
>>   #include <asm/pgtable.h>
>> +#include <asm/syscall.h>
>>   #include <asm/traps.h>
>>   #include <asm/system_misc.h>
>>
>> @@ -1064,6 +1066,14 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>> +	if (dir)
>> +		audit_syscall_exit(regs);
>> +	else
>> +		audit_syscall_entry(syscall_get_arch(current, regs),
>> +			(int)regs->syscallno,
>> +			regs->orig_x0, regs->regs[1],
>> +			regs->regs[2], regs->regs[3]);
>> +
>
> Do we really want to perform the audit checks before the tracehook calls?
> Remember that the latter can rewrite all of the registers.

OK. I will change the code to make calls in the following order:
On entry,
    *secure_computing
    *tracehook_report_syscall(ENTER)
    *trace_sys_enter
    *audit_syscall_entry
On exit,
    *audit_syscall_exit
    *trace_sys_exit
    *tracehook_report_syscall(EXIT)

The order here is the exact same as on x86, but such change might
decrease the readability in syscall_trace().

Thanks,
-Takahiro AKASHI

> Will
>

[PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags introduced, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.
Those features will be implemented later, but it's safe to include them
now because they can not be turned on anyway.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 arch/arm64/kernel/ptrace.c           |   11 +++++------
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..c3df797 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 39ac630..c94b2ab 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_WORK_SYSCALL
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..64ce39f 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
-
 	if (is_compat_task()) {
 		/* AArch32 uses ip (r12) for scratch */
 		saved_reg = regs->regs[12];
@@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 		regs->regs[7] = dir;
 	}
 
-	if (dir)
+	if (dir) {
 		tracehook_report_syscall_exit(regs, 0);
-	else if (tracehook_report_syscall_entry(regs))
-		regs->syscallno = ~0UL;
+	} else {
+		if (tracehook_report_syscall_entry(regs))
+			regs->syscallno = ~0UL;
+	}
 
 	if (is_compat_task())
 		regs->regs[12] = saved_reg;
-- 
1.7.9.5

[PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags introduced, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.
Those features will be implemented later, but it's safe to include them
now because they can not be turned on anyway.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 arch/arm64/kernel/ptrace.c           |   11 +++++------
 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..c3df797 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 39ac630..c94b2ab 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_WORK_SYSCALL
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..64ce39f 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
-
 	if (is_compat_task()) {
 		/* AArch32 uses ip (r12) for scratch */
 		saved_reg = regs->regs[12];
@@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 		regs->regs[7] = dir;
 	}
 
-	if (dir)
+	if (dir) {
 		tracehook_report_syscall_exit(regs, 0);
-	else if (tracehook_report_syscall_entry(regs))
-		regs->syscallno = ~0UL;
+	} else {
+		if (tracehook_report_syscall_entry(regs))
+			regs->syscallno = ~0UL;
+	}
 
 	if (is_compat_task())
 		regs->regs[12] = saved_reg;
-- 
1.7.9.5

[PATCH v4 0/3] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "generic compat system call audit support" patch
* "correct a type mismatch in audit_syscall_exit()" patch
   (already accepted and queued in 3.14)
* "Modify a set of system calls in audit class" patch
   (already accepted and queued in 3.14)
* "__NR_* definitions for compat syscalls" patch from Catalin
* "make a single hook to syscall_trace() for all syscall features" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"


AKASHI Takahiro (3):
  arm64: Add regs_return_value() in syscall.h
  arm64: Add audit support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/ptrace.h  |    5 +++++
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 arch/arm64/kernel/ptrace.c       |    7 +++++++
 include/uapi/linux/audit.h       |    1 +
 5 files changed, 29 insertions(+)

-- 
1.7.9.5

[PATCH v4 0/3] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "generic compat system call audit support" patch
* "correct a type mismatch in audit_syscall_exit()" patch
   (already accepted and queued in 3.14)
* "Modify a set of system calls in audit class" patch
   (already accepted and queued in 3.14)
* "__NR_* definitions for compat syscalls" patch from Catalin
* "make a single hook to syscall_trace() for all syscall features" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"


AKASHI Takahiro (3):
  arm64: Add regs_return_value() in syscall.h
  arm64: Add audit support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/ptrace.h  |    5 +++++
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 arch/arm64/kernel/ptrace.c       |    7 +++++++
 include/uapi/linux/audit.h       |    1 +
 5 files changed, 29 insertions(+)

-- 
1.7.9.5

[PATCH v4 1/3] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by Will Deacon <will.deacon@arm.com>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v4 1/3] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by Will Deacon <will.deacon@arm.com>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v4 2/3] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by Will Deacon <will.deacon@arm.com>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index dd4327f..a21455e 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -25,6 +25,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_DEBUG_BUGVERBOSE
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..6900183 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v4 2/3] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by Will Deacon <will.deacon@arm.com>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index dd4327f..a21455e 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -25,6 +25,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_DEBUG_BUGVERBOSE
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..6900183 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v4 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 64ce39f..8cdba09 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1076,10 +1078,15 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 	}
 
 	if (dir) {
+		audit_syscall_exit(regs);
 		tracehook_report_syscall_exit(regs, 0);
 	} else {
 		if (tracehook_report_syscall_entry(regs))
 			regs->syscallno = ~0UL;
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
 	}
 
 	if (is_compat_task())
-- 
1.7.9.5

[PATCH v4 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 64ce39f..8cdba09 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1076,10 +1078,15 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 	}
 
 	if (dir) {
+		audit_syscall_exit(regs);
 		tracehook_report_syscall_exit(regs, 0);
 	} else {
 		if (tracehook_report_syscall_entry(regs))
 			regs->syscallno = ~0UL;
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
 	}
 
 	if (is_compat_task())
-- 
1.7.9.5

Re: [PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[Richard Guy Briggs]

On 14/02/07, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags introduced, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> Those features will be implemented later, but it's safe to include them
> now because they can not be turned on anyway.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
>  arch/arm64/kernel/entry.S            |    5 +++--
>  arch/arm64/kernel/ptrace.c           |   11 +++++------
>  3 files changed, 21 insertions(+), 8 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..c3df797 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h
> @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
>  /*
>   * thread information flags:
>   *  TIF_SYSCALL_TRACE	- syscall trace active
> + *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
> + *  TIF_SYSCALL_AUDIT	- syscall auditing
> + *  TIF_SECOMP		- syscall secure computing
>   *  TIF_SIGPENDING	- signal pending
>   *  TIF_NEED_RESCHED	- rescheduling necessary
>   *  TIF_NOTIFY_RESUME	- callback before returning to user
> @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
>  #define TIF_NEED_RESCHED	1
>  #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>  #define TIF_SYSCALL_TRACE	8
> +#define TIF_SYSCALL_AUDIT	9
> +#define TIF_SYSCALL_TRACEPOINT	10
> +#define TIF_SECCOMP		11
>  #define TIF_POLLING_NRFLAG	16
>  #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>  #define TIF_FREEZE		19
> @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
>  #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
>  #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
>  #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
> +#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
> +#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
> +#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
> +#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
>  #define _TIF_32BIT		(1 << TIF_32BIT)
>  
>  #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
>  				 _TIF_NOTIFY_RESUME)
>  
> +#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
> +
>  #endif /* __KERNEL__ */
>  #endif /* __ASM_THREAD_INFO_H */
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 39ac630..c94b2ab 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
>  	enable_irq
>  
>  	get_thread_info tsk
> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
> +	tst	x16, #_TIF_WORK_SYSCALL
> +	b.ne	__sys_trace
>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..64ce39f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;
> -
>  	if (is_compat_task()) {
>  		/* AArch32 uses ip (r12) for scratch */
>  		saved_reg = regs->regs[12];
> @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  		regs->regs[7] = dir;
>  	}
>  
> -	if (dir)
> +	if (dir) {
>  		tracehook_report_syscall_exit(regs, 0);
> -	else if (tracehook_report_syscall_entry(regs))
> -		regs->syscallno = ~0UL;
> +	} else {
> +		if (tracehook_report_syscall_entry(regs))
> +			regs->syscallno = ~0UL;
> +	}
>  
>  	if (is_compat_task())
>  		regs->regs[12] = saved_reg;
> -- 
> 1.7.9.5
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[Richard Guy Briggs]

On 14/02/07, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags introduced, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> Those features will be implemented later, but it's safe to include them
> now because they can not be turned on anyway.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
>  arch/arm64/kernel/entry.S            |    5 +++--
>  arch/arm64/kernel/ptrace.c           |   11 +++++------
>  3 files changed, 21 insertions(+), 8 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..c3df797 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h
> @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
>  /*
>   * thread information flags:
>   *  TIF_SYSCALL_TRACE	- syscall trace active
> + *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
> + *  TIF_SYSCALL_AUDIT	- syscall auditing
> + *  TIF_SECOMP		- syscall secure computing
>   *  TIF_SIGPENDING	- signal pending
>   *  TIF_NEED_RESCHED	- rescheduling necessary
>   *  TIF_NOTIFY_RESUME	- callback before returning to user
> @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
>  #define TIF_NEED_RESCHED	1
>  #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>  #define TIF_SYSCALL_TRACE	8
> +#define TIF_SYSCALL_AUDIT	9
> +#define TIF_SYSCALL_TRACEPOINT	10
> +#define TIF_SECCOMP		11
>  #define TIF_POLLING_NRFLAG	16
>  #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>  #define TIF_FREEZE		19
> @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
>  #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
>  #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
>  #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
> +#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
> +#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
> +#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
> +#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
>  #define _TIF_32BIT		(1 << TIF_32BIT)
>  
>  #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
>  				 _TIF_NOTIFY_RESUME)
>  
> +#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
> +
>  #endif /* __KERNEL__ */
>  #endif /* __ASM_THREAD_INFO_H */
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 39ac630..c94b2ab 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
>  	enable_irq
>  
>  	get_thread_info tsk
> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
> +	tst	x16, #_TIF_WORK_SYSCALL
> +	b.ne	__sys_trace
>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..64ce39f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;
> -
>  	if (is_compat_task()) {
>  		/* AArch32 uses ip (r12) for scratch */
>  		saved_reg = regs->regs[12];
> @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  		regs->regs[7] = dir;
>  	}
>  
> -	if (dir)
> +	if (dir) {
>  		tracehook_report_syscall_exit(regs, 0);
> -	else if (tracehook_report_syscall_entry(regs))
> -		regs->syscallno = ~0UL;
> +	} else {
> +		if (tracehook_report_syscall_entry(regs))
> +			regs->syscallno = ~0UL;
> +	}
>  
>  	if (is_compat_task())
>  		regs->regs[12] = saved_reg;
> -- 
> 1.7.9.5
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[Richard Guy Briggs]

On 14/02/07, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags introduced, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> Those features will be implemented later, but it's safe to include them
> now because they can not be turned on anyway.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
>  arch/arm64/kernel/entry.S            |    5 +++--
>  arch/arm64/kernel/ptrace.c           |   11 +++++------
>  3 files changed, 21 insertions(+), 8 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..c3df797 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h
> @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
>  /*
>   * thread information flags:
>   *  TIF_SYSCALL_TRACE	- syscall trace active
> + *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
> + *  TIF_SYSCALL_AUDIT	- syscall auditing
> + *  TIF_SECOMP		- syscall secure computing
>   *  TIF_SIGPENDING	- signal pending
>   *  TIF_NEED_RESCHED	- rescheduling necessary
>   *  TIF_NOTIFY_RESUME	- callback before returning to user
> @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
>  #define TIF_NEED_RESCHED	1
>  #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>  #define TIF_SYSCALL_TRACE	8
> +#define TIF_SYSCALL_AUDIT	9
> +#define TIF_SYSCALL_TRACEPOINT	10
> +#define TIF_SECCOMP		11
>  #define TIF_POLLING_NRFLAG	16
>  #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>  #define TIF_FREEZE		19
> @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
>  #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
>  #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
>  #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
> +#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
> +#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
> +#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
> +#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
>  #define _TIF_32BIT		(1 << TIF_32BIT)
>  
>  #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
>  				 _TIF_NOTIFY_RESUME)
>  
> +#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
> +
>  #endif /* __KERNEL__ */
>  #endif /* __ASM_THREAD_INFO_H */
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 39ac630..c94b2ab 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
>  	enable_irq
>  
>  	get_thread_info tsk
> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
> +	tst	x16, #_TIF_WORK_SYSCALL
> +	b.ne	__sys_trace
>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..64ce39f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;
> -
>  	if (is_compat_task()) {
>  		/* AArch32 uses ip (r12) for scratch */
>  		saved_reg = regs->regs[12];
> @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  		regs->regs[7] = dir;
>  	}
>  
> -	if (dir)
> +	if (dir) {
>  		tracehook_report_syscall_exit(regs, 0);
> -	else if (tracehook_report_syscall_entry(regs))
> -		regs->syscallno = ~0UL;
> +	} else {
> +		if (tracehook_report_syscall_entry(regs))
> +			regs->syscallno = ~0UL;
> +	}
>  
>  	if (is_compat_task())
>  		regs->regs[12] = saved_reg;
> -- 
> 1.7.9.5
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v4 0/3] arm64: Add audit support

[Richard Guy Briggs]

On 14/02/07, AKASHI Takahiro wrote:
> This patchset adds system call audit support on arm64.
> Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
> are supported. Since arm64 has the exact same set of system calls
> on LE and BE, we don't care about endianness (or more specifically
> __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
> 
> There are some prerequisites for this patch to work correctly:
> * "generic compat system call audit support" patch
> * "correct a type mismatch in audit_syscall_exit()" patch
>    (already accepted and queued in 3.14)
> * "Modify a set of system calls in audit class" patch
>    (already accepted and queued in 3.14)
> * "__NR_* definitions for compat syscalls" patch from Catalin
> * "make a single hook to syscall_trace() for all syscall features" patch
> * userspace audit tool (v2.3.2 + my patch for arm64)
> 
> Please review them as well for better understandings.
> 
> This code was tested on both 32-bit and 64-bit LE userland 
> in the following two ways:
> 1) basic operations with auditctl/autrace
>   # auditctl -a exit,always -S openat -F path=/etc/inittab
>   # auditctl -a exit,always -F dir=/tmp -F perm=rw
>   # auditctl -a task,always
>   # autrace /bin/ls
>     by comparing output from autrace with one from strace
> 
> 2) audit-test-code (+ my workarounds for arm/arm64)
>   by running "audit-tool", "filter" and "syscalls" test categories.
> 
> Changes v1 -> v2:
> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>   Please note that a required header, unistd_32.h, is automatically
>   generated from unistd32.h.
> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>   system call in audit_syscall_entry() [6/6]
> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>   which was not intentionally included in v1 because it could be added
>   by "kprobes support".
> 
> Changes v2 -> v3:
> * Remove asm/audit.h.
>   See "generic compat syscall audit support" patch v4
> * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
> * Remove kernel/syscalls/Makefile which was used to create unistd32.h.
>   See Catalin's "Add __NR_* definitions for compat syscalls" patch
> 
> Changes v3 -> v4:
> * Modified to sync with the patch, "make a single hook to syscall_trace()
>   for all syscall features"
> 
> 
> AKASHI Takahiro (3):
>   arm64: Add regs_return_value() in syscall.h
>   arm64: Add audit support
>   arm64: audit: Add audit hook in ptrace/syscall_trace
> 
>  arch/arm64/Kconfig               |    1 +
>  arch/arm64/include/asm/ptrace.h  |    5 +++++
>  arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>  arch/arm64/kernel/ptrace.c       |    7 +++++++
>  include/uapi/linux/audit.h       |    1 +
>  5 files changed, 29 insertions(+)

Compile and regression tested on: ppc s390 x86_64 ppc64 i686 s390x.

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> -- 
> 1.7.9.5
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v4 0/3] arm64: Add audit support

[Richard Guy Briggs]

On 14/02/07, AKASHI Takahiro wrote:
> This patchset adds system call audit support on arm64.
> Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
> are supported. Since arm64 has the exact same set of system calls
> on LE and BE, we don't care about endianness (or more specifically
> __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
> 
> There are some prerequisites for this patch to work correctly:
> * "generic compat system call audit support" patch
> * "correct a type mismatch in audit_syscall_exit()" patch
>    (already accepted and queued in 3.14)
> * "Modify a set of system calls in audit class" patch
>    (already accepted and queued in 3.14)
> * "__NR_* definitions for compat syscalls" patch from Catalin
> * "make a single hook to syscall_trace() for all syscall features" patch
> * userspace audit tool (v2.3.2 + my patch for arm64)
> 
> Please review them as well for better understandings.
> 
> This code was tested on both 32-bit and 64-bit LE userland 
> in the following two ways:
> 1) basic operations with auditctl/autrace
>   # auditctl -a exit,always -S openat -F path=/etc/inittab
>   # auditctl -a exit,always -F dir=/tmp -F perm=rw
>   # auditctl -a task,always
>   # autrace /bin/ls
>     by comparing output from autrace with one from strace
> 
> 2) audit-test-code (+ my workarounds for arm/arm64)
>   by running "audit-tool", "filter" and "syscalls" test categories.
> 
> Changes v1 -> v2:
> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>   Please note that a required header, unistd_32.h, is automatically
>   generated from unistd32.h.
> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>   system call in audit_syscall_entry() [6/6]
> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>   which was not intentionally included in v1 because it could be added
>   by "kprobes support".
> 
> Changes v2 -> v3:
> * Remove asm/audit.h.
>   See "generic compat syscall audit support" patch v4
> * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
> * Remove kernel/syscalls/Makefile which was used to create unistd32.h.
>   See Catalin's "Add __NR_* definitions for compat syscalls" patch
> 
> Changes v3 -> v4:
> * Modified to sync with the patch, "make a single hook to syscall_trace()
>   for all syscall features"
> 
> 
> AKASHI Takahiro (3):
>   arm64: Add regs_return_value() in syscall.h
>   arm64: Add audit support
>   arm64: audit: Add audit hook in ptrace/syscall_trace
> 
>  arch/arm64/Kconfig               |    1 +
>  arch/arm64/include/asm/ptrace.h  |    5 +++++
>  arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>  arch/arm64/kernel/ptrace.c       |    7 +++++++
>  include/uapi/linux/audit.h       |    1 +
>  5 files changed, 29 insertions(+)

Compile and regression tested on: ppc s390 x86_64 ppc64 i686 s390x.

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> -- 
> 1.7.9.5
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v4 0/3] arm64: Add audit support

[Richard Guy Briggs]

On 14/02/07, AKASHI Takahiro wrote:
> This patchset adds system call audit support on arm64.
> Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
> are supported. Since arm64 has the exact same set of system calls
> on LE and BE, we don't care about endianness (or more specifically
> __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
> 
> There are some prerequisites for this patch to work correctly:
> * "generic compat system call audit support" patch
> * "correct a type mismatch in audit_syscall_exit()" patch
>    (already accepted and queued in 3.14)
> * "Modify a set of system calls in audit class" patch
>    (already accepted and queued in 3.14)
> * "__NR_* definitions for compat syscalls" patch from Catalin
> * "make a single hook to syscall_trace() for all syscall features" patch
> * userspace audit tool (v2.3.2 + my patch for arm64)
> 
> Please review them as well for better understandings.
> 
> This code was tested on both 32-bit and 64-bit LE userland 
> in the following two ways:
> 1) basic operations with auditctl/autrace
>   # auditctl -a exit,always -S openat -F path=/etc/inittab
>   # auditctl -a exit,always -F dir=/tmp -F perm=rw
>   # auditctl -a task,always
>   # autrace /bin/ls
>     by comparing output from autrace with one from strace
> 
> 2) audit-test-code (+ my workarounds for arm/arm64)
>   by running "audit-tool", "filter" and "syscalls" test categories.
> 
> Changes v1 -> v2:
> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>   Please note that a required header, unistd_32.h, is automatically
>   generated from unistd32.h.
> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>   system call in audit_syscall_entry() [6/6]
> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>   which was not intentionally included in v1 because it could be added
>   by "kprobes support".
> 
> Changes v2 -> v3:
> * Remove asm/audit.h.
>   See "generic compat syscall audit support" patch v4
> * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
> * Remove kernel/syscalls/Makefile which was used to create unistd32.h.
>   See Catalin's "Add __NR_* definitions for compat syscalls" patch
> 
> Changes v3 -> v4:
> * Modified to sync with the patch, "make a single hook to syscall_trace()
>   for all syscall features"
> 
> 
> AKASHI Takahiro (3):
>   arm64: Add regs_return_value() in syscall.h
>   arm64: Add audit support
>   arm64: audit: Add audit hook in ptrace/syscall_trace
> 
>  arch/arm64/Kconfig               |    1 +
>  arch/arm64/include/asm/ptrace.h  |    5 +++++
>  arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>  arch/arm64/kernel/ptrace.c       |    7 +++++++
>  include/uapi/linux/audit.h       |    1 +
>  5 files changed, 29 insertions(+)

Compile and regression tested on: ppc s390 x86_64 ppc64 i686 s390x.

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> -- 
> 1.7.9.5
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Fri, Feb 07, 2014 at 10:07:31AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags introduced, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> Those features will be implemented later, but it's safe to include them
> now because they can not be turned on anyway.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
>  arch/arm64/kernel/entry.S            |    5 +++--
>  arch/arm64/kernel/ptrace.c           |   11 +++++------
>  3 files changed, 21 insertions(+), 8 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..c3df797 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h

[...]

> +#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)

This is called _TIF_SYSCALL_WORK on arch/arm/, any reason not to follow the
naming convention here?

>  #endif /* __KERNEL__ */
>  #endif /* __ASM_THREAD_INFO_H */
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 39ac630..c94b2ab 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
>  	enable_irq
>  
>  	get_thread_info tsk
> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
> +	tst	x16, #_TIF_WORK_SYSCALL
> +	b.ne	__sys_trace
>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..64ce39f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;

This doesn't look right for things like audit (where we don't want to report
the syscall if only _TIF_SYSCALL_AUDIT is set, for example).

>  	if (is_compat_task()) {
>  		/* AArch32 uses ip (r12) for scratch */
>  		saved_reg = regs->regs[12];
> @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  		regs->regs[7] = dir;
>  	}
>  
> -	if (dir)
> +	if (dir) {
>  		tracehook_report_syscall_exit(regs, 0);
> -	else if (tracehook_report_syscall_entry(regs))
> -		regs->syscallno = ~0UL;
> +	} else {
> +		if (tracehook_report_syscall_entry(regs))
> +			regs->syscallno = ~0UL;
> +	}

This hunk doesn't do anything.

Will

Re: [PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Fri, Feb 07, 2014 at 10:07:31AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags introduced, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> Those features will be implemented later, but it's safe to include them
> now because they can not be turned on anyway.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
>  arch/arm64/kernel/entry.S            |    5 +++--
>  arch/arm64/kernel/ptrace.c           |   11 +++++------
>  3 files changed, 21 insertions(+), 8 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..c3df797 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h

[...]

> +#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)

This is called _TIF_SYSCALL_WORK on arch/arm/, any reason not to follow the
naming convention here?

>  #endif /* __KERNEL__ */
>  #endif /* __ASM_THREAD_INFO_H */
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 39ac630..c94b2ab 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
>  	enable_irq
>  
>  	get_thread_info tsk
> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
> +	tst	x16, #_TIF_WORK_SYSCALL
> +	b.ne	__sys_trace
>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..64ce39f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;

This doesn't look right for things like audit (where we don't want to report
the syscall if only _TIF_SYSCALL_AUDIT is set, for example).

>  	if (is_compat_task()) {
>  		/* AArch32 uses ip (r12) for scratch */
>  		saved_reg = regs->regs[12];
> @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  		regs->regs[7] = dir;
>  	}
>  
> -	if (dir)
> +	if (dir) {
>  		tracehook_report_syscall_exit(regs, 0);
> -	else if (tracehook_report_syscall_entry(regs))
> -		regs->syscallno = ~0UL;
> +	} else {
> +		if (tracehook_report_syscall_entry(regs))
> +			regs->syscallno = ~0UL;
> +	}

This hunk doesn't do anything.

Will

[PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Fri, Feb 07, 2014 at 10:07:31AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags introduced, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> Those features will be implemented later, but it's safe to include them
> now because they can not be turned on anyway.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
>  arch/arm64/kernel/entry.S            |    5 +++--
>  arch/arm64/kernel/ptrace.c           |   11 +++++------
>  3 files changed, 21 insertions(+), 8 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..c3df797 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h

[...]

> +#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)

This is called _TIF_SYSCALL_WORK on arch/arm/, any reason not to follow the
naming convention here?

>  #endif /* __KERNEL__ */
>  #endif /* __ASM_THREAD_INFO_H */
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 39ac630..c94b2ab 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
>  	enable_irq
>  
>  	get_thread_info tsk
> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
> +	tst	x16, #_TIF_WORK_SYSCALL
> +	b.ne	__sys_trace
>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..64ce39f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;

This doesn't look right for things like audit (where we don't want to report
the syscall if only _TIF_SYSCALL_AUDIT is set, for example).

>  	if (is_compat_task()) {
>  		/* AArch32 uses ip (r12) for scratch */
>  		saved_reg = regs->regs[12];
> @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  		regs->regs[7] = dir;
>  	}
>  
> -	if (dir)
> +	if (dir) {
>  		tracehook_report_syscall_exit(regs, 0);
> -	else if (tracehook_report_syscall_entry(regs))
> -		regs->syscallno = ~0UL;
> +	} else {
> +		if (tracehook_report_syscall_entry(regs))
> +			regs->syscallno = ~0UL;
> +	}

This hunk doesn't do anything.

Will

Re: [PATCH v4 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[Will Deacon]

On Fri, Feb 07, 2014 at 10:10:03AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/kernel/ptrace.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 64ce39f..8cdba09 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -19,6 +19,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/audit.h>
>  #include <linux/kernel.h>
>  #include <linux/sched.h>
>  #include <linux/mm.h>
> @@ -38,6 +39,7 @@
>  #include <asm/compat.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/pgtable.h>
> +#include <asm/syscall.h>
>  #include <asm/traps.h>
>  #include <asm/system_misc.h>
>  
> @@ -1076,10 +1078,15 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  	}
>  
>  	if (dir) {
> +		audit_syscall_exit(regs);
>  		tracehook_report_syscall_exit(regs, 0);
>  	} else {
>  		if (tracehook_report_syscall_entry(regs))
>  			regs->syscallno = ~0UL;
> +		audit_syscall_entry(syscall_get_arch(current, regs),
> +			(int)regs->syscallno,
> +			regs->orig_x0, regs->regs[1],
> +			regs->regs[2], regs->regs[3]);

Again, I don't think we should just lump tracehook and audit together like
this without checking the flags (see my reply to the previous patch series).

Will

Re: [PATCH v4 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[Will Deacon]

On Fri, Feb 07, 2014 at 10:10:03AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/kernel/ptrace.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 64ce39f..8cdba09 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -19,6 +19,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/audit.h>
>  #include <linux/kernel.h>
>  #include <linux/sched.h>
>  #include <linux/mm.h>
> @@ -38,6 +39,7 @@
>  #include <asm/compat.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/pgtable.h>
> +#include <asm/syscall.h>
>  #include <asm/traps.h>
>  #include <asm/system_misc.h>
>  
> @@ -1076,10 +1078,15 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  	}
>  
>  	if (dir) {
> +		audit_syscall_exit(regs);
>  		tracehook_report_syscall_exit(regs, 0);
>  	} else {
>  		if (tracehook_report_syscall_entry(regs))
>  			regs->syscallno = ~0UL;
> +		audit_syscall_entry(syscall_get_arch(current, regs),
> +			(int)regs->syscallno,
> +			regs->orig_x0, regs->regs[1],
> +			regs->regs[2], regs->regs[3]);

Again, I don't think we should just lump tracehook and audit together like
this without checking the flags (see my reply to the previous patch series).

Will

[PATCH v4 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[Will Deacon]

On Fri, Feb 07, 2014 at 10:10:03AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/kernel/ptrace.c |    7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 64ce39f..8cdba09 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -19,6 +19,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/audit.h>
>  #include <linux/kernel.h>
>  #include <linux/sched.h>
>  #include <linux/mm.h>
> @@ -38,6 +39,7 @@
>  #include <asm/compat.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/pgtable.h>
> +#include <asm/syscall.h>
>  #include <asm/traps.h>
>  #include <asm/system_misc.h>
>  
> @@ -1076,10 +1078,15 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  	}
>  
>  	if (dir) {
> +		audit_syscall_exit(regs);
>  		tracehook_report_syscall_exit(regs, 0);
>  	} else {
>  		if (tracehook_report_syscall_entry(regs))
>  			regs->syscallno = ~0UL;
> +		audit_syscall_entry(syscall_get_arch(current, regs),
> +			(int)regs->syscallno,
> +			regs->orig_x0, regs->regs[1],
> +			regs->regs[2], regs->regs[3]);

Again, I don't think we should just lump tracehook and audit together like
this without checking the flags (see my reply to the previous patch series).

Will

Re: [PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Hi,

On 02/18/2014 02:35 AM, Will Deacon wrote:
> On Fri, Feb 07, 2014 at 10:07:31AM +0000, AKASHI Takahiro wrote:
>> Currently syscall_trace() is called only for ptrace.
>> With additional TIF_xx flags introduced, it is now called in all the cases
>> of audit, ftrace and seccomp in addition to ptrace.
>> Those features will be implemented later, but it's safe to include them
>> now because they can not be turned on anyway.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
>>   arch/arm64/kernel/entry.S            |    5 +++--
>>   arch/arm64/kernel/ptrace.c           |   11 +++++------
>>   3 files changed, 21 insertions(+), 8 deletions(-)
>>
>> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
>> index 720e70b..c3df797 100644
>> --- a/arch/arm64/include/asm/thread_info.h
>> +++ b/arch/arm64/include/asm/thread_info.h
>
> [...]
>
>> +#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
>> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
>
> This is called _TIF_SYSCALL_WORK on arch/arm/, any reason not to follow the
> naming convention here?

This is called _TIF_WORK_SYSCALL on arch/x86 :-)
That is the only reason, and so I don't have any objection to following arm
if you prefer it.

>>   #endif /* __KERNEL__ */
>>   #endif /* __ASM_THREAD_INFO_H */
>> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
>> index 39ac630..c94b2ab 100644
>> --- a/arch/arm64/kernel/entry.S
>> +++ b/arch/arm64/kernel/entry.S
>> @@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
>>   	enable_irq
>>
>>   	get_thread_info tsk
>> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
>> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
>> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
>> +	tst	x16, #_TIF_WORK_SYSCALL
>> +	b.ne	__sys_trace
>>   	adr	lr, ret_fast_syscall		// return address
>>   	cmp     scno, sc_nr                     // check upper syscall limit
>>   	b.hs	ni_sys
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6a8928b..64ce39f 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>> -		return regs->syscallno;
>
> This doesn't look right for things like audit (where we don't want to report
> the syscall if only _TIF_SYSCALL_AUDIT is set, for example).

Yeah, it is my screwup.
I will add the guards against TIF_SYSCALL_TRACE (for ptrace),
TIF_SYSCALL_TRACEPOINT (for ftrace) and TIF_SYSCALL_AUDIT (for audit).

secure_computing() is protected in itself.

>>   	if (is_compat_task()) {
>>   		/* AArch32 uses ip (r12) for scratch */
>>   		saved_reg = regs->regs[12];
>> @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   		regs->regs[7] = dir;
>>   	}
>>
>> -	if (dir)
>> +	if (dir) {
>>   		tracehook_report_syscall_exit(regs, 0);
>> -	else if (tracehook_report_syscall_entry(regs))
>> -		regs->syscallno = ~0UL;
>> +	} else {
>> +		if (tracehook_report_syscall_entry(regs))
>> +			regs->syscallno = ~0UL;
>> +	}
>
> This hunk doesn't do anything.

Well, this is just a change for future patches, but
I will remove it anyway due to the guards mentioned above.

-Takahiro AKASHI

> Will
>

Re: [PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Hi,

On 02/18/2014 02:35 AM, Will Deacon wrote:
> On Fri, Feb 07, 2014 at 10:07:31AM +0000, AKASHI Takahiro wrote:
>> Currently syscall_trace() is called only for ptrace.
>> With additional TIF_xx flags introduced, it is now called in all the cases
>> of audit, ftrace and seccomp in addition to ptrace.
>> Those features will be implemented later, but it's safe to include them
>> now because they can not be turned on anyway.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
>>   arch/arm64/kernel/entry.S            |    5 +++--
>>   arch/arm64/kernel/ptrace.c           |   11 +++++------
>>   3 files changed, 21 insertions(+), 8 deletions(-)
>>
>> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
>> index 720e70b..c3df797 100644
>> --- a/arch/arm64/include/asm/thread_info.h
>> +++ b/arch/arm64/include/asm/thread_info.h
>
> [...]
>
>> +#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
>> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
>
> This is called _TIF_SYSCALL_WORK on arch/arm/, any reason not to follow the
> naming convention here?

This is called _TIF_WORK_SYSCALL on arch/x86 :-)
That is the only reason, and so I don't have any objection to following arm
if you prefer it.

>>   #endif /* __KERNEL__ */
>>   #endif /* __ASM_THREAD_INFO_H */
>> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
>> index 39ac630..c94b2ab 100644
>> --- a/arch/arm64/kernel/entry.S
>> +++ b/arch/arm64/kernel/entry.S
>> @@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
>>   	enable_irq
>>
>>   	get_thread_info tsk
>> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
>> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
>> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
>> +	tst	x16, #_TIF_WORK_SYSCALL
>> +	b.ne	__sys_trace
>>   	adr	lr, ret_fast_syscall		// return address
>>   	cmp     scno, sc_nr                     // check upper syscall limit
>>   	b.hs	ni_sys
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6a8928b..64ce39f 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>> -		return regs->syscallno;
>
> This doesn't look right for things like audit (where we don't want to report
> the syscall if only _TIF_SYSCALL_AUDIT is set, for example).

Yeah, it is my screwup.
I will add the guards against TIF_SYSCALL_TRACE (for ptrace),
TIF_SYSCALL_TRACEPOINT (for ftrace) and TIF_SYSCALL_AUDIT (for audit).

secure_computing() is protected in itself.

>>   	if (is_compat_task()) {
>>   		/* AArch32 uses ip (r12) for scratch */
>>   		saved_reg = regs->regs[12];
>> @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   		regs->regs[7] = dir;
>>   	}
>>
>> -	if (dir)
>> +	if (dir) {
>>   		tracehook_report_syscall_exit(regs, 0);
>> -	else if (tracehook_report_syscall_entry(regs))
>> -		regs->syscallno = ~0UL;
>> +	} else {
>> +		if (tracehook_report_syscall_entry(regs))
>> +			regs->syscallno = ~0UL;
>> +	}
>
> This hunk doesn't do anything.

Well, this is just a change for future patches, but
I will remove it anyway due to the guards mentioned above.

-Takahiro AKASHI

> Will
>

[PATCH] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Hi,

On 02/18/2014 02:35 AM, Will Deacon wrote:
> On Fri, Feb 07, 2014 at 10:07:31AM +0000, AKASHI Takahiro wrote:
>> Currently syscall_trace() is called only for ptrace.
>> With additional TIF_xx flags introduced, it is now called in all the cases
>> of audit, ftrace and seccomp in addition to ptrace.
>> Those features will be implemented later, but it's safe to include them
>> now because they can not be turned on anyway.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
>>   arch/arm64/kernel/entry.S            |    5 +++--
>>   arch/arm64/kernel/ptrace.c           |   11 +++++------
>>   3 files changed, 21 insertions(+), 8 deletions(-)
>>
>> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
>> index 720e70b..c3df797 100644
>> --- a/arch/arm64/include/asm/thread_info.h
>> +++ b/arch/arm64/include/asm/thread_info.h
>
> [...]
>
>> +#define _TIF_WORK_SYSCALL	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
>> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
>
> This is called _TIF_SYSCALL_WORK on arch/arm/, any reason not to follow the
> naming convention here?

This is called _TIF_WORK_SYSCALL on arch/x86 :-)
That is the only reason, and so I don't have any objection to following arm
if you prefer it.

>>   #endif /* __KERNEL__ */
>>   #endif /* __ASM_THREAD_INFO_H */
>> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
>> index 39ac630..c94b2ab 100644
>> --- a/arch/arm64/kernel/entry.S
>> +++ b/arch/arm64/kernel/entry.S
>> @@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
>>   	enable_irq
>>
>>   	get_thread_info tsk
>> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
>> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
>> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
>> +	tst	x16, #_TIF_WORK_SYSCALL
>> +	b.ne	__sys_trace
>>   	adr	lr, ret_fast_syscall		// return address
>>   	cmp     scno, sc_nr                     // check upper syscall limit
>>   	b.hs	ni_sys
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6a8928b..64ce39f 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -1062,9 +1062,6 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>> -		return regs->syscallno;
>
> This doesn't look right for things like audit (where we don't want to report
> the syscall if only _TIF_SYSCALL_AUDIT is set, for example).

Yeah, it is my screwup.
I will add the guards against TIF_SYSCALL_TRACE (for ptrace),
TIF_SYSCALL_TRACEPOINT (for ftrace) and TIF_SYSCALL_AUDIT (for audit).

secure_computing() is protected in itself.

>>   	if (is_compat_task()) {
>>   		/* AArch32 uses ip (r12) for scratch */
>>   		saved_reg = regs->regs[12];
>> @@ -1078,10 +1075,12 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   		regs->regs[7] = dir;
>>   	}
>>
>> -	if (dir)
>> +	if (dir) {
>>   		tracehook_report_syscall_exit(regs, 0);
>> -	else if (tracehook_report_syscall_entry(regs))
>> -		regs->syscallno = ~0UL;
>> +	} else {
>> +		if (tracehook_report_syscall_entry(regs))
>> +			regs->syscallno = ~0UL;
>> +	}
>
> This hunk doesn't do anything.

Well, this is just a change for future patches, but
I will remove it anyway due to the guards mentioned above.

-Takahiro AKASHI

> Will
>

[PATCH v2 0/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

This patch makes it easy to add syscall related hooks, including ftrace,
audit and seccomp, in syscall_trace() later.
Those features will be implemented in separate patchsets, but it's safe to
check for all TIF_* now because they can not be turned on anyway.

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

AKASHI Takahiro (1):
  arm64: make a single hook to syscall_trace() for all syscall features

 arch/arm64/include/asm/thread_info.h |   13 ++++++++++
 arch/arm64/kernel/entry.S            |    5 ++--
 arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
 3 files changed, 38 insertions(+), 25 deletions(-)

-- 
1.7.9.5

[PATCH v2 0/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

This patch makes it easy to add syscall related hooks, including ftrace,
audit and seccomp, in syscall_trace() later.
Those features will be implemented in separate patchsets, but it's safe to
check for all TIF_* now because they can not be turned on anyway.

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

AKASHI Takahiro (1):
  arm64: make a single hook to syscall_trace() for all syscall features

 arch/arm64/include/asm/thread_info.h |   13 ++++++++++
 arch/arm64/kernel/entry.S            |    5 ++--
 arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
 3 files changed, 38 insertions(+), 25 deletions(-)

-- 
1.7.9.5

[PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
---
 arch/arm64/include/asm/thread_info.h |   13 ++++++++++
 arch/arm64/kernel/entry.S            |    5 ++--
 arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
 3 files changed, 38 insertions(+), 25 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 0d7b789..6d613cd 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -630,8 +630,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..c70133e 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
-
-	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
-		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
-	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
-		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
-	}
+	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
+		if (is_compat_task()) {
+			/* AArch32 uses ip (r12) for scratch */
+			saved_reg = regs->regs[12];
+			regs->regs[12] = dir;
+		} else {
+			/*
+			 * Save X7. X7 is used to denote syscall entry/exit:
+			 *   X7 = 0 -> entry, = 1 -> exit
+			 */
+			saved_reg = regs->regs[7];
+			regs->regs[7] = dir;
+		}
 
-	if (dir)
-		tracehook_report_syscall_exit(regs, 0);
-	else if (tracehook_report_syscall_entry(regs))
-		regs->syscallno = ~0UL;
+		if (dir)
+			tracehook_report_syscall_exit(regs, 0);
+		else if (tracehook_report_syscall_entry(regs))
+			regs->syscallno = ~0UL;
 
-	if (is_compat_task())
-		regs->regs[12] = saved_reg;
-	else
-		regs->regs[7] = saved_reg;
+		if (is_compat_task())
+			regs->regs[12] = saved_reg;
+		else
+			regs->regs[7] = saved_reg;
+	}
 
 	return regs->syscallno;
 }
-- 
1.7.9.5

[PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
---
 arch/arm64/include/asm/thread_info.h |   13 ++++++++++
 arch/arm64/kernel/entry.S            |    5 ++--
 arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
 3 files changed, 38 insertions(+), 25 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 0d7b789..6d613cd 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -630,8 +630,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..c70133e 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
-
-	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
-		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
-	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
-		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
-	}
+	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
+		if (is_compat_task()) {
+			/* AArch32 uses ip (r12) for scratch */
+			saved_reg = regs->regs[12];
+			regs->regs[12] = dir;
+		} else {
+			/*
+			 * Save X7. X7 is used to denote syscall entry/exit:
+			 *   X7 = 0 -> entry, = 1 -> exit
+			 */
+			saved_reg = regs->regs[7];
+			regs->regs[7] = dir;
+		}
 
-	if (dir)
-		tracehook_report_syscall_exit(regs, 0);
-	else if (tracehook_report_syscall_entry(regs))
-		regs->syscallno = ~0UL;
+		if (dir)
+			tracehook_report_syscall_exit(regs, 0);
+		else if (tracehook_report_syscall_entry(regs))
+			regs->syscallno = ~0UL;
 
-	if (is_compat_task())
-		regs->regs[12] = saved_reg;
-	else
-		regs->regs[7] = saved_reg;
+		if (is_compat_task())
+			regs->regs[12] = saved_reg;
+		else
+			regs->regs[7] = saved_reg;
+	}
 
 	return regs->syscallno;
 }
-- 
1.7.9.5

[PATCH v2 0/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
                SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Changes v1 -> v2:
* rebased to 3.14-rcX, and so added a change on ALPHA

AKASHI Takahiro (1):
  audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

-- 
1.7.9.5

[PATCH v2 0/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
                SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Changes v1 -> v2:
* rebased to 3.14-rcX, and so added a change on ALPHA

AKASHI Takahiro (1):
  audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

-- 
1.7.9.5

[PATCH v2 0/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
                SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Changes v1 -> v2:
* rebased to 3.14-rcX, and so added a change on ALPHA

AKASHI Takahiro (1):
  audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

-- 
1.7.9.5

[PATCH v2 0/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
                SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Changes v1 -> v2:
* rebased to 3.14-rcX, and so added a change on ALPHA

AKASHI Takahiro (1):
  audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

-- 
1.7.9.5

[PATCH v2 0/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
                SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Changes v1 -> v2:
* rebased to 3.14-rcX, and so added a change on ALPHA

AKASHI Takahiro (1):
  audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

-- 
1.7.9.5

_______________________________________________
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev

[PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
index f6c6b34..b7ff9a3 100644
--- a/arch/alpha/Kconfig
+++ b/arch/alpha/Kconfig
@@ -22,6 +22,7 @@ config ALPHA
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ODD_RT_SIGACTION
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index e254198..ca79340 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -24,6 +24,7 @@ config ARM
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
 	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index 0c8e553..5409bf4 100644
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -44,6 +44,7 @@ config IA64
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ARCH_USE_CMPXCHG_LOCKREF
+	select HAVE_ARCH_AUDITSYSCALL
 	default y
 	help
 	  The Itanium Processor Family is Intel's 64-bit successor to
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
index bb2a8ec..1faefed 100644
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -28,6 +28,7 @@ config PARISC
 	select CLONE_BACKWARDS
 	select TTY # Needed for pdc_cons.c
 	select HAVE_DEBUG_STACKOVERFLOW
+	select HAVE_ARCH_AUDITSYSCALL
 
 	help
 	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 957bf34..7b3b8fe 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -141,6 +141,7 @@ config PPC
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK
 	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
+	select HAVE_ARCH_AUDITSYSCALL
 
 config GENERIC_CSUM
 	def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 65a0775..1b58568 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -103,6 +103,7 @@ config S390
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
 	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 6357710..4addd87 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -42,6 +42,7 @@ config SUPERH
 	select MODULES_USE_ELF_RELA
 	select OLD_SIGSUSPEND
 	select OLD_SIGACTION
+	select HAVE_ARCH_AUDITSYSCALL
 	help
 	  The SuperH is a RISC processor targeted for use in embedded systems
 	  and consumer electronics; it was also used in the Sega Dreamcast
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index c51efdc..9c74d6b 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -77,6 +77,7 @@ config SPARC64
 	select ARCH_HAVE_NMI_SAFE_CMPXCHG
 	select HAVE_C_RECORDMCOUNT
 	select NO_BOOTMEM
+	select HAVE_ARCH_AUDITSYSCALL
 
 config ARCH_DEFCONFIG
 	string
diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
index 21ca44c..6915d28 100644
--- a/arch/um/Kconfig.common
+++ b/arch/um/Kconfig.common
@@ -1,6 +1,7 @@
 config UML
 	bool
 	default y
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_UID16
 	select GENERIC_IRQ_SHOW
 	select GENERIC_CPU_DEVICES
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 0af5250..2938365 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -127,6 +127,7 @@ config X86
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
 	select HAVE_CC_STACKPROTECTOR
+	select HAVE_ARCH_AUDITSYSCALL
 
 config INSTRUCTION_DECODER
 	def_bool y
diff --git a/init/Kconfig b/init/Kconfig
index 009a797..d4ec53d 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -282,9 +282,12 @@ config AUDIT
 	  logging of avc messages output).  Does not do system-call
 	  auditing without CONFIG_AUDITSYSCALL.
 
+config HAVE_ARCH_AUDITSYSCALL
+	bool
+
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
+	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
index f6c6b34..b7ff9a3 100644
--- a/arch/alpha/Kconfig
+++ b/arch/alpha/Kconfig
@@ -22,6 +22,7 @@ config ALPHA
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ODD_RT_SIGACTION
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index e254198..ca79340 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -24,6 +24,7 @@ config ARM
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
 	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index 0c8e553..5409bf4 100644
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -44,6 +44,7 @@ config IA64
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ARCH_USE_CMPXCHG_LOCKREF
+	select HAVE_ARCH_AUDITSYSCALL
 	default y
 	help
 	  The Itanium Processor Family is Intel's 64-bit successor to
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
index bb2a8ec..1faefed 100644
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -28,6 +28,7 @@ config PARISC
 	select CLONE_BACKWARDS
 	select TTY # Needed for pdc_cons.c
 	select HAVE_DEBUG_STACKOVERFLOW
+	select HAVE_ARCH_AUDITSYSCALL
 
 	help
 	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 957bf34..7b3b8fe 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -141,6 +141,7 @@ config PPC
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK
 	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
+	select HAVE_ARCH_AUDITSYSCALL
 
 config GENERIC_CSUM
 	def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 65a0775..1b58568 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -103,6 +103,7 @@ config S390
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
 	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 6357710..4addd87 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -42,6 +42,7 @@ config SUPERH
 	select MODULES_USE_ELF_RELA
 	select OLD_SIGSUSPEND
 	select OLD_SIGACTION
+	select HAVE_ARCH_AUDITSYSCALL
 	help
 	  The SuperH is a RISC processor targeted for use in embedded systems
 	  and consumer electronics; it was also used in the Sega Dreamcast
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index c51efdc..9c74d6b 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -77,6 +77,7 @@ config SPARC64
 	select ARCH_HAVE_NMI_SAFE_CMPXCHG
 	select HAVE_C_RECORDMCOUNT
 	select NO_BOOTMEM
+	select HAVE_ARCH_AUDITSYSCALL
 
 config ARCH_DEFCONFIG
 	string
diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
index 21ca44c..6915d28 100644
--- a/arch/um/Kconfig.common
+++ b/arch/um/Kconfig.common
@@ -1,6 +1,7 @@
 config UML
 	bool
 	default y
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_UID16
 	select GENERIC_IRQ_SHOW
 	select GENERIC_CPU_DEVICES
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 0af5250..2938365 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -127,6 +127,7 @@ config X86
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
 	select HAVE_CC_STACKPROTECTOR
+	select HAVE_ARCH_AUDITSYSCALL
 
 config INSTRUCTION_DECODER
 	def_bool y
diff --git a/init/Kconfig b/init/Kconfig
index 009a797..d4ec53d 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -282,9 +282,12 @@ config AUDIT
 	  logging of avc messages output).  Does not do system-call
 	  auditing without CONFIG_AUDITSYSCALL.
 
+config HAVE_ARCH_AUDITSYSCALL
+	bool
+
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
+	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
index f6c6b34..b7ff9a3 100644
--- a/arch/alpha/Kconfig
+++ b/arch/alpha/Kconfig
@@ -22,6 +22,7 @@ config ALPHA
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ODD_RT_SIGACTION
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index e254198..ca79340 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -24,6 +24,7 @@ config ARM
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
 	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index 0c8e553..5409bf4 100644
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -44,6 +44,7 @@ config IA64
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ARCH_USE_CMPXCHG_LOCKREF
+	select HAVE_ARCH_AUDITSYSCALL
 	default y
 	help
 	  The Itanium Processor Family is Intel's 64-bit successor to
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
index bb2a8ec..1faefed 100644
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -28,6 +28,7 @@ config PARISC
 	select CLONE_BACKWARDS
 	select TTY # Needed for pdc_cons.c
 	select HAVE_DEBUG_STACKOVERFLOW
+	select HAVE_ARCH_AUDITSYSCALL
 
 	help
 	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 957bf34..7b3b8fe 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -141,6 +141,7 @@ config PPC
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK
 	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
+	select HAVE_ARCH_AUDITSYSCALL
 
 config GENERIC_CSUM
 	def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 65a0775..1b58568 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -103,6 +103,7 @@ config S390
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
 	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 6357710..4addd87 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -42,6 +42,7 @@ config SUPERH
 	select MODULES_USE_ELF_RELA
 	select OLD_SIGSUSPEND
 	select OLD_SIGACTION
+	select HAVE_ARCH_AUDITSYSCALL
 	help
 	  The SuperH is a RISC processor targeted for use in embedded systems
 	  and consumer electronics; it was also used in the Sega Dreamcast
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index c51efdc..9c74d6b 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -77,6 +77,7 @@ config SPARC64
 	select ARCH_HAVE_NMI_SAFE_CMPXCHG
 	select HAVE_C_RECORDMCOUNT
 	select NO_BOOTMEM
+	select HAVE_ARCH_AUDITSYSCALL
 
 config ARCH_DEFCONFIG
 	string
diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
index 21ca44c..6915d28 100644
--- a/arch/um/Kconfig.common
+++ b/arch/um/Kconfig.common
@@ -1,6 +1,7 @@
 config UML
 	bool
 	default y
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_UID16
 	select GENERIC_IRQ_SHOW
 	select GENERIC_CPU_DEVICES
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 0af5250..2938365 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -127,6 +127,7 @@ config X86
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
 	select HAVE_CC_STACKPROTECTOR
+	select HAVE_ARCH_AUDITSYSCALL
 
 config INSTRUCTION_DECODER
 	def_bool y
diff --git a/init/Kconfig b/init/Kconfig
index 009a797..d4ec53d 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -282,9 +282,12 @@ config AUDIT
 	  logging of avc messages output).  Does not do system-call
 	  auditing without CONFIG_AUDITSYSCALL.
 
+config HAVE_ARCH_AUDITSYSCALL
+	bool
+
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
+	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
index f6c6b34..b7ff9a3 100644
--- a/arch/alpha/Kconfig
+++ b/arch/alpha/Kconfig
@@ -22,6 +22,7 @@ config ALPHA
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ODD_RT_SIGACTION
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index e254198..ca79340 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -24,6 +24,7 @@ config ARM
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
 	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index 0c8e553..5409bf4 100644
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -44,6 +44,7 @@ config IA64
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ARCH_USE_CMPXCHG_LOCKREF
+	select HAVE_ARCH_AUDITSYSCALL
 	default y
 	help
 	  The Itanium Processor Family is Intel's 64-bit successor to
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
index bb2a8ec..1faefed 100644
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -28,6 +28,7 @@ config PARISC
 	select CLONE_BACKWARDS
 	select TTY # Needed for pdc_cons.c
 	select HAVE_DEBUG_STACKOVERFLOW
+	select HAVE_ARCH_AUDITSYSCALL
 
 	help
 	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 957bf34..7b3b8fe 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -141,6 +141,7 @@ config PPC
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK
 	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
+	select HAVE_ARCH_AUDITSYSCALL
 
 config GENERIC_CSUM
 	def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 65a0775..1b58568 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -103,6 +103,7 @@ config S390
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
 	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 6357710..4addd87 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -42,6 +42,7 @@ config SUPERH
 	select MODULES_USE_ELF_RELA
 	select OLD_SIGSUSPEND
 	select OLD_SIGACTION
+	select HAVE_ARCH_AUDITSYSCALL
 	help
 	  The SuperH is a RISC processor targeted for use in embedded systems
 	  and consumer electronics; it was also used in the Sega Dreamcast
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index c51efdc..9c74d6b 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -77,6 +77,7 @@ config SPARC64
 	select ARCH_HAVE_NMI_SAFE_CMPXCHG
 	select HAVE_C_RECORDMCOUNT
 	select NO_BOOTMEM
+	select HAVE_ARCH_AUDITSYSCALL
 
 config ARCH_DEFCONFIG
 	string
diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
index 21ca44c..6915d28 100644
--- a/arch/um/Kconfig.common
+++ b/arch/um/Kconfig.common
@@ -1,6 +1,7 @@
 config UML
 	bool
 	default y
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_UID16
 	select GENERIC_IRQ_SHOW
 	select GENERIC_CPU_DEVICES
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 0af5250..2938365 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -127,6 +127,7 @@ config X86
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
 	select HAVE_CC_STACKPROTECTOR
+	select HAVE_ARCH_AUDITSYSCALL
 
 config INSTRUCTION_DECODER
 	def_bool y
diff --git a/init/Kconfig b/init/Kconfig
index 009a797..d4ec53d 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -282,9 +282,12 @@ config AUDIT
 	  logging of avc messages output).  Does not do system-call
 	  auditing without CONFIG_AUDITSYSCALL.
 
+config HAVE_ARCH_AUDITSYSCALL
+	bool
+
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
+	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

[PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[AKASHI Takahiro]

Currently AUDITSYSCALL has a long list of architecture depencency:
       depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
for simplicity.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/alpha/Kconfig     |    1 +
 arch/arm/Kconfig       |    1 +
 arch/ia64/Kconfig      |    1 +
 arch/parisc/Kconfig    |    1 +
 arch/powerpc/Kconfig   |    1 +
 arch/s390/Kconfig      |    1 +
 arch/sh/Kconfig        |    1 +
 arch/sparc/Kconfig     |    1 +
 arch/um/Kconfig.common |    1 +
 arch/x86/Kconfig       |    1 +
 init/Kconfig           |    5 ++++-
 11 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
index f6c6b34..b7ff9a3 100644
--- a/arch/alpha/Kconfig
+++ b/arch/alpha/Kconfig
@@ -22,6 +22,7 @@ config ALPHA
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ODD_RT_SIGACTION
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index e254198..ca79340 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -24,6 +24,7 @@ config ARM
 	select GENERIC_STRNCPY_FROM_USER
 	select GENERIC_STRNLEN_USER
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
 	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
index 0c8e553..5409bf4 100644
--- a/arch/ia64/Kconfig
+++ b/arch/ia64/Kconfig
@@ -44,6 +44,7 @@ config IA64
 	select HAVE_MOD_ARCH_SPECIFIC
 	select MODULES_USE_ELF_RELA
 	select ARCH_USE_CMPXCHG_LOCKREF
+	select HAVE_ARCH_AUDITSYSCALL
 	default y
 	help
 	  The Itanium Processor Family is Intel's 64-bit successor to
diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
index bb2a8ec..1faefed 100644
--- a/arch/parisc/Kconfig
+++ b/arch/parisc/Kconfig
@@ -28,6 +28,7 @@ config PARISC
 	select CLONE_BACKWARDS
 	select TTY # Needed for pdc_cons.c
 	select HAVE_DEBUG_STACKOVERFLOW
+	select HAVE_ARCH_AUDITSYSCALL
 
 	help
 	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 957bf34..7b3b8fe 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -141,6 +141,7 @@ config PPC
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK
 	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
+	select HAVE_ARCH_AUDITSYSCALL
 
 config GENERIC_CSUM
 	def_bool CPU_LITTLE_ENDIAN
diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 65a0775..1b58568 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -103,6 +103,7 @@ config S390
 	select GENERIC_SMP_IDLE_THREAD
 	select GENERIC_TIME_VSYSCALL
 	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
 	select HAVE_ARCH_SECCOMP_FILTER
 	select HAVE_ARCH_TRACEHOOK
diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
index 6357710..4addd87 100644
--- a/arch/sh/Kconfig
+++ b/arch/sh/Kconfig
@@ -42,6 +42,7 @@ config SUPERH
 	select MODULES_USE_ELF_RELA
 	select OLD_SIGSUSPEND
 	select OLD_SIGACTION
+	select HAVE_ARCH_AUDITSYSCALL
 	help
 	  The SuperH is a RISC processor targeted for use in embedded systems
 	  and consumer electronics; it was also used in the Sega Dreamcast
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index c51efdc..9c74d6b 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -77,6 +77,7 @@ config SPARC64
 	select ARCH_HAVE_NMI_SAFE_CMPXCHG
 	select HAVE_C_RECORDMCOUNT
 	select NO_BOOTMEM
+	select HAVE_ARCH_AUDITSYSCALL
 
 config ARCH_DEFCONFIG
 	string
diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
index 21ca44c..6915d28 100644
--- a/arch/um/Kconfig.common
+++ b/arch/um/Kconfig.common
@@ -1,6 +1,7 @@
 config UML
 	bool
 	default y
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_UID16
 	select GENERIC_IRQ_SHOW
 	select GENERIC_CPU_DEVICES
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 0af5250..2938365 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -127,6 +127,7 @@ config X86
 	select HAVE_DEBUG_STACKOVERFLOW
 	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
 	select HAVE_CC_STACKPROTECTOR
+	select HAVE_ARCH_AUDITSYSCALL
 
 config INSTRUCTION_DECODER
 	def_bool y
diff --git a/init/Kconfig b/init/Kconfig
index 009a797..d4ec53d 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -282,9 +282,12 @@ config AUDIT
 	  logging of avc messages output).  Does not do system-call
 	  auditing without CONFIG_AUDITSYSCALL.
 
+config HAVE_ARCH_AUDITSYSCALL
+	bool
+
 config AUDITSYSCALL
 	bool "Enable system-call auditing support"
-	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
+	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
 	default y if SECURITY_SELINUX
 	help
 	  Enable low-overhead system-call auditing infrastructure that
-- 
1.7.9.5

_______________________________________________
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev

[PATCH v5 0/3] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "generic compat system call audit support" patch
* "__NR_* definitions for compat syscalls" patch from Catalin
* "make a single hook to syscall_trace() for all syscall features" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

AKASHI Takahiro (3):
  arm64: Add regs_return_value() in syscall.h
  arm64: Add audit support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/ptrace.h  |    5 +++++
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 arch/arm64/kernel/ptrace.c       |   11 +++++++++++
 include/uapi/linux/audit.h       |    1 +
 5 files changed, 33 insertions(+)

-- 
1.7.9.5

[PATCH v5 0/3] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "generic compat system call audit support" patch
* "__NR_* definitions for compat syscalls" patch from Catalin
* "make a single hook to syscall_trace() for all syscall features" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

AKASHI Takahiro (3):
  arm64: Add regs_return_value() in syscall.h
  arm64: Add audit support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/ptrace.h  |    5 +++++
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 arch/arm64/kernel/ptrace.c       |   11 +++++++++++
 include/uapi/linux/audit.h       |    1 +
 5 files changed, 33 insertions(+)

-- 
1.7.9.5

[PATCH v5 1/3] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v5 1/3] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v5 2/3] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 27bbcfc..aa47548 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -25,6 +25,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_DEBUG_BUGVERBOSE
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..6900183 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v5 2/3] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 27bbcfc..aa47548 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -25,6 +25,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_DEBUG_BUGVERBOSE
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..6900183 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v5 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
---
 arch/arm64/kernel/ptrace.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index c70133e..d4ce70e 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1062,6 +1064,9 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+	if (dir && test_thread_flag(TIF_SYSCALL_AUDIT))
+		audit_syscall_exit(regs);
+
 	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
 		if (is_compat_task()) {
 			/* AArch32 uses ip (r12) for scratch */
@@ -1087,5 +1092,11 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 			regs->regs[7] = saved_reg;
 	}
 
+	if (!dir && test_thread_flag(TIF_SYSCALL_AUDIT))
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
+
 	return regs->syscallno;
 }
-- 
1.7.9.5

[PATCH v5 3/3] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
---
 arch/arm64/kernel/ptrace.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index c70133e..d4ce70e 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1062,6 +1064,9 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+	if (dir && test_thread_flag(TIF_SYSCALL_AUDIT))
+		audit_syscall_exit(regs);
+
 	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
 		if (is_compat_task()) {
 			/* AArch32 uses ip (r12) for scratch */
@@ -1087,5 +1092,11 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 			regs->regs[7] = saved_reg;
 	}
 
+	if (!dir && test_thread_flag(TIF_SYSCALL_AUDIT))
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
+
 	return regs->syscallno;
 }
-- 
1.7.9.5

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Will Deacon]

T24gVHVlLCBGZWIgMjUsIDIwMTQgYXQgMDk6MTY6MjRBTSArMDAwMCwgQUtBU0hJIFRha2FoaXJv
IHdyb3RlOgo+IEN1cnJlbnRseSBBVURJVFNZU0NBTEwgaGFzIGEgbG9uZyBsaXN0IG9mIGFyY2hp
dGVjdHVyZSBkZXBlbmNlbmN5Ogo+ICAgICAgICBkZXBlbmRzIG9uIEFVRElUICYmIChYODYgfHwg
UEFSSVNDIHx8IFBQQyB8fCBTMzkwIHx8IElBNjQgfHwgVU1MIHx8Cj4gCQlTUEFSQzY0IHx8IFNV
UEVSSCB8fCAoQVJNICYmIEFFQUJJICYmICFPQUJJX0NPTVBBVCkgfHwgQUxQSEEpCj4gVGhlIHB1
cnBvc2Ugb2YgdGhpcyBwYXRjaCBpcyB0byByZXBsYWNlIGl0IHdpdGggSEFWRV9BUkNIX0FVRElU
U1lTQ0FMTAo+IGZvciBzaW1wbGljaXR5LgoKTG9va3Mgc2Vuc2libGUgdG8gbWU6CgogIEFja2Vk
LWJ5OiBXaWxsIERlYWNvbiA8d2lsbC5kZWFjb25AYXJtLmNvbT4KCldpbGwKX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KTGludXhwcGMtZGV2IG1haWxpbmcg
bGlzdApMaW51eHBwYy1kZXZAbGlzdHMub3psYWJzLm9yZwpodHRwczovL2xpc3RzLm96bGFicy5v
cmcvbGlzdGluZm8vbGludXhwcGMtZGV2

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Will Deacon]

On Tue, Feb 25, 2014 at 09:16:24AM +0000, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.

Looks sensible to me:

  Acked-by: Will Deacon <will.deacon@arm.com>

Will
_______________________________________________
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Will Deacon]

On Tue, Feb 25, 2014 at 09:16:24AM +0000, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.

Looks sensible to me:

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

[PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Will Deacon]

On Tue, Feb 25, 2014 at 09:16:24AM +0000, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.

Looks sensible to me:

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Will Deacon]

On Tue, Feb 25, 2014 at 09:16:24AM +0000, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.

Looks sensible to me:

  Acked-by: Will Deacon <will.deacon@arm.com>

Will
_______________________________________________
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev

Re: [PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags defined, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  arch/arm64/include/asm/thread_info.h |   13 ++++++++++
>  arch/arm64/kernel/entry.S            |    5 ++--
>  arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
>  3 files changed, 38 insertions(+), 25 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..0a8b2a9 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h
> @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
>  /*
>   * thread information flags:
>   *  TIF_SYSCALL_TRACE	- syscall trace active
> + *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
> + *  TIF_SYSCALL_AUDIT	- syscall auditing
> + *  TIF_SECOMP		- syscall secure computing
>   *  TIF_SIGPENDING	- signal pending
>   *  TIF_NEED_RESCHED	- rescheduling necessary
>   *  TIF_NOTIFY_RESUME	- callback before returning to user
> @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
>  #define TIF_NEED_RESCHED	1
>  #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>  #define TIF_SYSCALL_TRACE	8
> +#define TIF_SYSCALL_AUDIT	9
> +#define TIF_SYSCALL_TRACEPOINT	10
> +#define TIF_SECCOMP		11
>  #define TIF_POLLING_NRFLAG	16
>  #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>  #define TIF_FREEZE		19
> @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
>  #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
>  #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
>  #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
> +#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
> +#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
> +#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
> +#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
>  #define _TIF_32BIT		(1 << TIF_32BIT)
>  
>  #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
>  				 _TIF_NOTIFY_RESUME)
>  
> +#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
> +
>  #endif /* __KERNEL__ */
>  #endif /* __ASM_THREAD_INFO_H */
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 0d7b789..6d613cd 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -630,8 +630,9 @@ el0_svc_naked:					// compat entry point
>  	enable_irq
>  
>  	get_thread_info tsk
> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
> +	tst	x16, #_TIF_SYSCALL_WORK
> +	b.ne	__sys_trace
>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys

All looks fine up to here.

> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..c70133e 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;
> -
> -	if (is_compat_task()) {
> -		/* AArch32 uses ip (r12) for scratch */
> -		saved_reg = regs->regs[12];
> -		regs->regs[12] = dir;
> -	} else {
> -		/*
> -		 * Save X7. X7 is used to denote syscall entry/exit:
> -		 *   X7 = 0 -> entry, = 1 -> exit
> -		 */
> -		saved_reg = regs->regs[7];
> -		regs->regs[7] = dir;
> -	}
> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
> +		if (is_compat_task()) {
> +			/* AArch32 uses ip (r12) for scratch */
> +			saved_reg = regs->regs[12];
> +			regs->regs[12] = dir;
> +		} else {
> +			/*
> +			 * Save X7. X7 is used to denote syscall entry/exit:
> +			 *   X7 = 0 -> entry, = 1 -> exit
> +			 */
> +			saved_reg = regs->regs[7];
> +			regs->regs[7] = dir;
> +		}
>  
> -	if (dir)
> -		tracehook_report_syscall_exit(regs, 0);
> -	else if (tracehook_report_syscall_entry(regs))
> -		regs->syscallno = ~0UL;
> +		if (dir)
> +			tracehook_report_syscall_exit(regs, 0);
> +		else if (tracehook_report_syscall_entry(regs))
> +			regs->syscallno = ~0UL;
>  
> -	if (is_compat_task())
> -		regs->regs[12] = saved_reg;
> -	else
> -		regs->regs[7] = saved_reg;
> +		if (is_compat_task())
> +			regs->regs[12] = saved_reg;
> +		else
> +			regs->regs[7] = saved_reg;
> +	}

Aren't these changes (to ptrace.c) just a giant NOP?

Will

Re: [PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags defined, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  arch/arm64/include/asm/thread_info.h |   13 ++++++++++
>  arch/arm64/kernel/entry.S            |    5 ++--
>  arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
>  3 files changed, 38 insertions(+), 25 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..0a8b2a9 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h
> @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
>  /*
>   * thread information flags:
>   *  TIF_SYSCALL_TRACE	- syscall trace active
> + *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
> + *  TIF_SYSCALL_AUDIT	- syscall auditing
> + *  TIF_SECOMP		- syscall secure computing
>   *  TIF_SIGPENDING	- signal pending
>   *  TIF_NEED_RESCHED	- rescheduling necessary
>   *  TIF_NOTIFY_RESUME	- callback before returning to user
> @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
>  #define TIF_NEED_RESCHED	1
>  #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>  #define TIF_SYSCALL_TRACE	8
> +#define TIF_SYSCALL_AUDIT	9
> +#define TIF_SYSCALL_TRACEPOINT	10
> +#define TIF_SECCOMP		11
>  #define TIF_POLLING_NRFLAG	16
>  #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>  #define TIF_FREEZE		19
> @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
>  #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
>  #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
>  #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
> +#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
> +#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
> +#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
> +#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
>  #define _TIF_32BIT		(1 << TIF_32BIT)
>  
>  #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
>  				 _TIF_NOTIFY_RESUME)
>  
> +#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
> +
>  #endif /* __KERNEL__ */
>  #endif /* __ASM_THREAD_INFO_H */
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 0d7b789..6d613cd 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -630,8 +630,9 @@ el0_svc_naked:					// compat entry point
>  	enable_irq
>  
>  	get_thread_info tsk
> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
> +	tst	x16, #_TIF_SYSCALL_WORK
> +	b.ne	__sys_trace
>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys

All looks fine up to here.

> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..c70133e 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;
> -
> -	if (is_compat_task()) {
> -		/* AArch32 uses ip (r12) for scratch */
> -		saved_reg = regs->regs[12];
> -		regs->regs[12] = dir;
> -	} else {
> -		/*
> -		 * Save X7. X7 is used to denote syscall entry/exit:
> -		 *   X7 = 0 -> entry, = 1 -> exit
> -		 */
> -		saved_reg = regs->regs[7];
> -		regs->regs[7] = dir;
> -	}
> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
> +		if (is_compat_task()) {
> +			/* AArch32 uses ip (r12) for scratch */
> +			saved_reg = regs->regs[12];
> +			regs->regs[12] = dir;
> +		} else {
> +			/*
> +			 * Save X7. X7 is used to denote syscall entry/exit:
> +			 *   X7 = 0 -> entry, = 1 -> exit
> +			 */
> +			saved_reg = regs->regs[7];
> +			regs->regs[7] = dir;
> +		}
>  
> -	if (dir)
> -		tracehook_report_syscall_exit(regs, 0);
> -	else if (tracehook_report_syscall_entry(regs))
> -		regs->syscallno = ~0UL;
> +		if (dir)
> +			tracehook_report_syscall_exit(regs, 0);
> +		else if (tracehook_report_syscall_entry(regs))
> +			regs->syscallno = ~0UL;
>  
> -	if (is_compat_task())
> -		regs->regs[12] = saved_reg;
> -	else
> -		regs->regs[7] = saved_reg;
> +		if (is_compat_task())
> +			regs->regs[12] = saved_reg;
> +		else
> +			regs->regs[7] = saved_reg;
> +	}

Aren't these changes (to ptrace.c) just a giant NOP?

Will

[PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags defined, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  arch/arm64/include/asm/thread_info.h |   13 ++++++++++
>  arch/arm64/kernel/entry.S            |    5 ++--
>  arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
>  3 files changed, 38 insertions(+), 25 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
> index 720e70b..0a8b2a9 100644
> --- a/arch/arm64/include/asm/thread_info.h
> +++ b/arch/arm64/include/asm/thread_info.h
> @@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
>  /*
>   * thread information flags:
>   *  TIF_SYSCALL_TRACE	- syscall trace active
> + *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
> + *  TIF_SYSCALL_AUDIT	- syscall auditing
> + *  TIF_SECOMP		- syscall secure computing
>   *  TIF_SIGPENDING	- signal pending
>   *  TIF_NEED_RESCHED	- rescheduling necessary
>   *  TIF_NOTIFY_RESUME	- callback before returning to user
> @@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
>  #define TIF_NEED_RESCHED	1
>  #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
>  #define TIF_SYSCALL_TRACE	8
> +#define TIF_SYSCALL_AUDIT	9
> +#define TIF_SYSCALL_TRACEPOINT	10
> +#define TIF_SECCOMP		11
>  #define TIF_POLLING_NRFLAG	16
>  #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
>  #define TIF_FREEZE		19
> @@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
>  #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
>  #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
>  #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
> +#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
> +#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
> +#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
> +#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
>  #define _TIF_32BIT		(1 << TIF_32BIT)
>  
>  #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
>  				 _TIF_NOTIFY_RESUME)
>  
> +#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
> +				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
> +
>  #endif /* __KERNEL__ */
>  #endif /* __ASM_THREAD_INFO_H */
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index 0d7b789..6d613cd 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -630,8 +630,9 @@ el0_svc_naked:					// compat entry point
>  	enable_irq
>  
>  	get_thread_info tsk
> -	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
> -	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
> +	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
> +	tst	x16, #_TIF_SYSCALL_WORK
> +	b.ne	__sys_trace
>  	adr	lr, ret_fast_syscall		// return address
>  	cmp     scno, sc_nr                     // check upper syscall limit
>  	b.hs	ni_sys

All looks fine up to here.

> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..c70133e 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;
> -
> -	if (is_compat_task()) {
> -		/* AArch32 uses ip (r12) for scratch */
> -		saved_reg = regs->regs[12];
> -		regs->regs[12] = dir;
> -	} else {
> -		/*
> -		 * Save X7. X7 is used to denote syscall entry/exit:
> -		 *   X7 = 0 -> entry, = 1 -> exit
> -		 */
> -		saved_reg = regs->regs[7];
> -		regs->regs[7] = dir;
> -	}
> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
> +		if (is_compat_task()) {
> +			/* AArch32 uses ip (r12) for scratch */
> +			saved_reg = regs->regs[12];
> +			regs->regs[12] = dir;
> +		} else {
> +			/*
> +			 * Save X7. X7 is used to denote syscall entry/exit:
> +			 *   X7 = 0 -> entry, = 1 -> exit
> +			 */
> +			saved_reg = regs->regs[7];
> +			regs->regs[7] = dir;
> +		}
>  
> -	if (dir)
> -		tracehook_report_syscall_exit(regs, 0);
> -	else if (tracehook_report_syscall_entry(regs))
> -		regs->syscallno = ~0UL;
> +		if (dir)
> +			tracehook_report_syscall_exit(regs, 0);
> +		else if (tracehook_report_syscall_entry(regs))
> +			regs->syscallno = ~0UL;
>  
> -	if (is_compat_task())
> -		regs->regs[12] = saved_reg;
> -	else
> -		regs->regs[7] = saved_reg;
> +		if (is_compat_task())
> +			regs->regs[12] = saved_reg;
> +		else
> +			regs->regs[7] = saved_reg;
> +	}

Aren't these changes (to ptrace.c) just a giant NOP?

Will

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Richard Guy Briggs]

On 14/02/25, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/alpha/Kconfig     |    1 +
>  arch/arm/Kconfig       |    1 +
>  arch/ia64/Kconfig      |    1 +
>  arch/parisc/Kconfig    |    1 +
>  arch/powerpc/Kconfig   |    1 +
>  arch/s390/Kconfig      |    1 +
>  arch/sh/Kconfig        |    1 +
>  arch/sparc/Kconfig     |    1 +
>  arch/um/Kconfig.common |    1 +
>  arch/x86/Kconfig       |    1 +
>  init/Kconfig           |    5 ++++-
>  11 files changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
> index f6c6b34..b7ff9a3 100644
> --- a/arch/alpha/Kconfig
> +++ b/arch/alpha/Kconfig
> @@ -22,6 +22,7 @@ config ALPHA
>  	select GENERIC_SMP_IDLE_THREAD
>  	select GENERIC_STRNCPY_FROM_USER
>  	select GENERIC_STRNLEN_USER
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_MOD_ARCH_SPECIFIC
>  	select MODULES_USE_ELF_RELA
>  	select ODD_RT_SIGACTION
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index e254198..ca79340 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -24,6 +24,7 @@ config ARM
>  	select GENERIC_STRNCPY_FROM_USER
>  	select GENERIC_STRNLEN_USER
>  	select HARDIRQS_SW_RESEND
> +	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
>  	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
>  	select HAVE_ARCH_KGDB
>  	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
> diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
> index 0c8e553..5409bf4 100644
> --- a/arch/ia64/Kconfig
> +++ b/arch/ia64/Kconfig
> @@ -44,6 +44,7 @@ config IA64
>  	select HAVE_MOD_ARCH_SPECIFIC
>  	select MODULES_USE_ELF_RELA
>  	select ARCH_USE_CMPXCHG_LOCKREF
> +	select HAVE_ARCH_AUDITSYSCALL
>  	default y
>  	help
>  	  The Itanium Processor Family is Intel's 64-bit successor to
> diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
> index bb2a8ec..1faefed 100644
> --- a/arch/parisc/Kconfig
> +++ b/arch/parisc/Kconfig
> @@ -28,6 +28,7 @@ config PARISC
>  	select CLONE_BACKWARDS
>  	select TTY # Needed for pdc_cons.c
>  	select HAVE_DEBUG_STACKOVERFLOW
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  	help
>  	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 957bf34..7b3b8fe 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -141,6 +141,7 @@ config PPC
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK
>  	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config GENERIC_CSUM
>  	def_bool CPU_LITTLE_ENDIAN
> diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
> index 65a0775..1b58568 100644
> --- a/arch/s390/Kconfig
> +++ b/arch/s390/Kconfig
> @@ -103,6 +103,7 @@ config S390
>  	select GENERIC_SMP_IDLE_THREAD
>  	select GENERIC_TIME_VSYSCALL
>  	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
>  	select HAVE_ARCH_SECCOMP_FILTER
>  	select HAVE_ARCH_TRACEHOOK
> diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
> index 6357710..4addd87 100644
> --- a/arch/sh/Kconfig
> +++ b/arch/sh/Kconfig
> @@ -42,6 +42,7 @@ config SUPERH
>  	select MODULES_USE_ELF_RELA
>  	select OLD_SIGSUSPEND
>  	select OLD_SIGACTION
> +	select HAVE_ARCH_AUDITSYSCALL
>  	help
>  	  The SuperH is a RISC processor targeted for use in embedded systems
>  	  and consumer electronics; it was also used in the Sega Dreamcast
> diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
> index c51efdc..9c74d6b 100644
> --- a/arch/sparc/Kconfig
> +++ b/arch/sparc/Kconfig
> @@ -77,6 +77,7 @@ config SPARC64
>  	select ARCH_HAVE_NMI_SAFE_CMPXCHG
>  	select HAVE_C_RECORDMCOUNT
>  	select NO_BOOTMEM
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config ARCH_DEFCONFIG
>  	string
> diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
> index 21ca44c..6915d28 100644
> --- a/arch/um/Kconfig.common
> +++ b/arch/um/Kconfig.common
> @@ -1,6 +1,7 @@
>  config UML
>  	bool
>  	default y
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_UID16
>  	select GENERIC_IRQ_SHOW
>  	select GENERIC_CPU_DEVICES
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 0af5250..2938365 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -127,6 +127,7 @@ config X86
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
>  	select HAVE_CC_STACKPROTECTOR
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config INSTRUCTION_DECODER
>  	def_bool y
> diff --git a/init/Kconfig b/init/Kconfig
> index 009a797..d4ec53d 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -282,9 +282,12 @@ config AUDIT
>  	  logging of avc messages output).  Does not do system-call
>  	  auditing without CONFIG_AUDITSYSCALL.
>  
> +config HAVE_ARCH_AUDITSYSCALL
> +	bool
> +
>  config AUDITSYSCALL
>  	bool "Enable system-call auditing support"
> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> +	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
>  	default y if SECURITY_SELINUX
>  	help
>  	  Enable low-overhead system-call auditing infrastructure that
> -- 
> 1.7.9.5
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Richard Guy Briggs]

On 14/02/25, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/alpha/Kconfig     |    1 +
>  arch/arm/Kconfig       |    1 +
>  arch/ia64/Kconfig      |    1 +
>  arch/parisc/Kconfig    |    1 +
>  arch/powerpc/Kconfig   |    1 +
>  arch/s390/Kconfig      |    1 +
>  arch/sh/Kconfig        |    1 +
>  arch/sparc/Kconfig     |    1 +
>  arch/um/Kconfig.common |    1 +
>  arch/x86/Kconfig       |    1 +
>  init/Kconfig           |    5 ++++-
>  11 files changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
> index f6c6b34..b7ff9a3 100644
> --- a/arch/alpha/Kconfig
> +++ b/arch/alpha/Kconfig
> @@ -22,6 +22,7 @@ config ALPHA
>  	select GENERIC_SMP_IDLE_THREAD
>  	select GENERIC_STRNCPY_FROM_USER
>  	select GENERIC_STRNLEN_USER
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_MOD_ARCH_SPECIFIC
>  	select MODULES_USE_ELF_RELA
>  	select ODD_RT_SIGACTION
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index e254198..ca79340 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -24,6 +24,7 @@ config ARM
>  	select GENERIC_STRNCPY_FROM_USER
>  	select GENERIC_STRNLEN_USER
>  	select HARDIRQS_SW_RESEND
> +	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
>  	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
>  	select HAVE_ARCH_KGDB
>  	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
> diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
> index 0c8e553..5409bf4 100644
> --- a/arch/ia64/Kconfig
> +++ b/arch/ia64/Kconfig
> @@ -44,6 +44,7 @@ config IA64
>  	select HAVE_MOD_ARCH_SPECIFIC
>  	select MODULES_USE_ELF_RELA
>  	select ARCH_USE_CMPXCHG_LOCKREF
> +	select HAVE_ARCH_AUDITSYSCALL
>  	default y
>  	help
>  	  The Itanium Processor Family is Intel's 64-bit successor to
> diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
> index bb2a8ec..1faefed 100644
> --- a/arch/parisc/Kconfig
> +++ b/arch/parisc/Kconfig
> @@ -28,6 +28,7 @@ config PARISC
>  	select CLONE_BACKWARDS
>  	select TTY # Needed for pdc_cons.c
>  	select HAVE_DEBUG_STACKOVERFLOW
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  	help
>  	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 957bf34..7b3b8fe 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -141,6 +141,7 @@ config PPC
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK
>  	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config GENERIC_CSUM
>  	def_bool CPU_LITTLE_ENDIAN
> diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
> index 65a0775..1b58568 100644
> --- a/arch/s390/Kconfig
> +++ b/arch/s390/Kconfig
> @@ -103,6 +103,7 @@ config S390
>  	select GENERIC_SMP_IDLE_THREAD
>  	select GENERIC_TIME_VSYSCALL
>  	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
>  	select HAVE_ARCH_SECCOMP_FILTER
>  	select HAVE_ARCH_TRACEHOOK
> diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
> index 6357710..4addd87 100644
> --- a/arch/sh/Kconfig
> +++ b/arch/sh/Kconfig
> @@ -42,6 +42,7 @@ config SUPERH
>  	select MODULES_USE_ELF_RELA
>  	select OLD_SIGSUSPEND
>  	select OLD_SIGACTION
> +	select HAVE_ARCH_AUDITSYSCALL
>  	help
>  	  The SuperH is a RISC processor targeted for use in embedded systems
>  	  and consumer electronics; it was also used in the Sega Dreamcast
> diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
> index c51efdc..9c74d6b 100644
> --- a/arch/sparc/Kconfig
> +++ b/arch/sparc/Kconfig
> @@ -77,6 +77,7 @@ config SPARC64
>  	select ARCH_HAVE_NMI_SAFE_CMPXCHG
>  	select HAVE_C_RECORDMCOUNT
>  	select NO_BOOTMEM
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config ARCH_DEFCONFIG
>  	string
> diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
> index 21ca44c..6915d28 100644
> --- a/arch/um/Kconfig.common
> +++ b/arch/um/Kconfig.common
> @@ -1,6 +1,7 @@
>  config UML
>  	bool
>  	default y
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_UID16
>  	select GENERIC_IRQ_SHOW
>  	select GENERIC_CPU_DEVICES
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 0af5250..2938365 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -127,6 +127,7 @@ config X86
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
>  	select HAVE_CC_STACKPROTECTOR
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config INSTRUCTION_DECODER
>  	def_bool y
> diff --git a/init/Kconfig b/init/Kconfig
> index 009a797..d4ec53d 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -282,9 +282,12 @@ config AUDIT
>  	  logging of avc messages output).  Does not do system-call
>  	  auditing without CONFIG_AUDITSYSCALL.
>  
> +config HAVE_ARCH_AUDITSYSCALL
> +	bool
> +
>  config AUDITSYSCALL
>  	bool "Enable system-call auditing support"
> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> +	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
>  	default y if SECURITY_SELINUX
>  	help
>  	  Enable low-overhead system-call auditing infrastructure that
> -- 
> 1.7.9.5
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Richard Guy Briggs]

On 14/02/25, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/alpha/Kconfig     |    1 +
>  arch/arm/Kconfig       |    1 +
>  arch/ia64/Kconfig      |    1 +
>  arch/parisc/Kconfig    |    1 +
>  arch/powerpc/Kconfig   |    1 +
>  arch/s390/Kconfig      |    1 +
>  arch/sh/Kconfig        |    1 +
>  arch/sparc/Kconfig     |    1 +
>  arch/um/Kconfig.common |    1 +
>  arch/x86/Kconfig       |    1 +
>  init/Kconfig           |    5 ++++-
>  11 files changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
> index f6c6b34..b7ff9a3 100644
> --- a/arch/alpha/Kconfig
> +++ b/arch/alpha/Kconfig
> @@ -22,6 +22,7 @@ config ALPHA
>  	select GENERIC_SMP_IDLE_THREAD
>  	select GENERIC_STRNCPY_FROM_USER
>  	select GENERIC_STRNLEN_USER
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_MOD_ARCH_SPECIFIC
>  	select MODULES_USE_ELF_RELA
>  	select ODD_RT_SIGACTION
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index e254198..ca79340 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -24,6 +24,7 @@ config ARM
>  	select GENERIC_STRNCPY_FROM_USER
>  	select GENERIC_STRNLEN_USER
>  	select HARDIRQS_SW_RESEND
> +	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
>  	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
>  	select HAVE_ARCH_KGDB
>  	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
> diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
> index 0c8e553..5409bf4 100644
> --- a/arch/ia64/Kconfig
> +++ b/arch/ia64/Kconfig
> @@ -44,6 +44,7 @@ config IA64
>  	select HAVE_MOD_ARCH_SPECIFIC
>  	select MODULES_USE_ELF_RELA
>  	select ARCH_USE_CMPXCHG_LOCKREF
> +	select HAVE_ARCH_AUDITSYSCALL
>  	default y
>  	help
>  	  The Itanium Processor Family is Intel's 64-bit successor to
> diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
> index bb2a8ec..1faefed 100644
> --- a/arch/parisc/Kconfig
> +++ b/arch/parisc/Kconfig
> @@ -28,6 +28,7 @@ config PARISC
>  	select CLONE_BACKWARDS
>  	select TTY # Needed for pdc_cons.c
>  	select HAVE_DEBUG_STACKOVERFLOW
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  	help
>  	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 957bf34..7b3b8fe 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -141,6 +141,7 @@ config PPC
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK
>  	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config GENERIC_CSUM
>  	def_bool CPU_LITTLE_ENDIAN
> diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
> index 65a0775..1b58568 100644
> --- a/arch/s390/Kconfig
> +++ b/arch/s390/Kconfig
> @@ -103,6 +103,7 @@ config S390
>  	select GENERIC_SMP_IDLE_THREAD
>  	select GENERIC_TIME_VSYSCALL
>  	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
>  	select HAVE_ARCH_SECCOMP_FILTER
>  	select HAVE_ARCH_TRACEHOOK
> diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
> index 6357710..4addd87 100644
> --- a/arch/sh/Kconfig
> +++ b/arch/sh/Kconfig
> @@ -42,6 +42,7 @@ config SUPERH
>  	select MODULES_USE_ELF_RELA
>  	select OLD_SIGSUSPEND
>  	select OLD_SIGACTION
> +	select HAVE_ARCH_AUDITSYSCALL
>  	help
>  	  The SuperH is a RISC processor targeted for use in embedded systems
>  	  and consumer electronics; it was also used in the Sega Dreamcast
> diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
> index c51efdc..9c74d6b 100644
> --- a/arch/sparc/Kconfig
> +++ b/arch/sparc/Kconfig
> @@ -77,6 +77,7 @@ config SPARC64
>  	select ARCH_HAVE_NMI_SAFE_CMPXCHG
>  	select HAVE_C_RECORDMCOUNT
>  	select NO_BOOTMEM
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config ARCH_DEFCONFIG
>  	string
> diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
> index 21ca44c..6915d28 100644
> --- a/arch/um/Kconfig.common
> +++ b/arch/um/Kconfig.common
> @@ -1,6 +1,7 @@
>  config UML
>  	bool
>  	default y
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_UID16
>  	select GENERIC_IRQ_SHOW
>  	select GENERIC_CPU_DEVICES
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 0af5250..2938365 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -127,6 +127,7 @@ config X86
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
>  	select HAVE_CC_STACKPROTECTOR
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config INSTRUCTION_DECODER
>  	def_bool y
> diff --git a/init/Kconfig b/init/Kconfig
> index 009a797..d4ec53d 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -282,9 +282,12 @@ config AUDIT
>  	  logging of avc messages output).  Does not do system-call
>  	  auditing without CONFIG_AUDITSYSCALL.
>  
> +config HAVE_ARCH_AUDITSYSCALL
> +	bool
> +
>  config AUDITSYSCALL
>  	bool "Enable system-call auditing support"
> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> +	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
>  	default y if SECURITY_SELINUX
>  	help
>  	  Enable low-overhead system-call auditing infrastructure that
> -- 
> 1.7.9.5
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Richard Guy Briggs]

On 14/02/25, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/alpha/Kconfig     |    1 +
>  arch/arm/Kconfig       |    1 +
>  arch/ia64/Kconfig      |    1 +
>  arch/parisc/Kconfig    |    1 +
>  arch/powerpc/Kconfig   |    1 +
>  arch/s390/Kconfig      |    1 +
>  arch/sh/Kconfig        |    1 +
>  arch/sparc/Kconfig     |    1 +
>  arch/um/Kconfig.common |    1 +
>  arch/x86/Kconfig       |    1 +
>  init/Kconfig           |    5 ++++-
>  11 files changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
> index f6c6b34..b7ff9a3 100644
> --- a/arch/alpha/Kconfig
> +++ b/arch/alpha/Kconfig
> @@ -22,6 +22,7 @@ config ALPHA
>  	select GENERIC_SMP_IDLE_THREAD
>  	select GENERIC_STRNCPY_FROM_USER
>  	select GENERIC_STRNLEN_USER
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_MOD_ARCH_SPECIFIC
>  	select MODULES_USE_ELF_RELA
>  	select ODD_RT_SIGACTION
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index e254198..ca79340 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -24,6 +24,7 @@ config ARM
>  	select GENERIC_STRNCPY_FROM_USER
>  	select GENERIC_STRNLEN_USER
>  	select HARDIRQS_SW_RESEND
> +	select HAVE_ARCH_AUDITSYSCALL if (AEABI && !OABI_COMPAT)
>  	select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL
>  	select HAVE_ARCH_KGDB
>  	select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT)
> diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
> index 0c8e553..5409bf4 100644
> --- a/arch/ia64/Kconfig
> +++ b/arch/ia64/Kconfig
> @@ -44,6 +44,7 @@ config IA64
>  	select HAVE_MOD_ARCH_SPECIFIC
>  	select MODULES_USE_ELF_RELA
>  	select ARCH_USE_CMPXCHG_LOCKREF
> +	select HAVE_ARCH_AUDITSYSCALL
>  	default y
>  	help
>  	  The Itanium Processor Family is Intel's 64-bit successor to
> diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig
> index bb2a8ec..1faefed 100644
> --- a/arch/parisc/Kconfig
> +++ b/arch/parisc/Kconfig
> @@ -28,6 +28,7 @@ config PARISC
>  	select CLONE_BACKWARDS
>  	select TTY # Needed for pdc_cons.c
>  	select HAVE_DEBUG_STACKOVERFLOW
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  	help
>  	  The PA-RISC microprocessor is designed by Hewlett-Packard and used
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 957bf34..7b3b8fe 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -141,6 +141,7 @@ config PPC
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK
>  	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config GENERIC_CSUM
>  	def_bool CPU_LITTLE_ENDIAN
> diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
> index 65a0775..1b58568 100644
> --- a/arch/s390/Kconfig
> +++ b/arch/s390/Kconfig
> @@ -103,6 +103,7 @@ config S390
>  	select GENERIC_SMP_IDLE_THREAD
>  	select GENERIC_TIME_VSYSCALL
>  	select HAVE_ALIGNED_STRUCT_PAGE if SLUB
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_ARCH_JUMP_LABEL if !MARCH_G5
>  	select HAVE_ARCH_SECCOMP_FILTER
>  	select HAVE_ARCH_TRACEHOOK
> diff --git a/arch/sh/Kconfig b/arch/sh/Kconfig
> index 6357710..4addd87 100644
> --- a/arch/sh/Kconfig
> +++ b/arch/sh/Kconfig
> @@ -42,6 +42,7 @@ config SUPERH
>  	select MODULES_USE_ELF_RELA
>  	select OLD_SIGSUSPEND
>  	select OLD_SIGACTION
> +	select HAVE_ARCH_AUDITSYSCALL
>  	help
>  	  The SuperH is a RISC processor targeted for use in embedded systems
>  	  and consumer electronics; it was also used in the Sega Dreamcast
> diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
> index c51efdc..9c74d6b 100644
> --- a/arch/sparc/Kconfig
> +++ b/arch/sparc/Kconfig
> @@ -77,6 +77,7 @@ config SPARC64
>  	select ARCH_HAVE_NMI_SAFE_CMPXCHG
>  	select HAVE_C_RECORDMCOUNT
>  	select NO_BOOTMEM
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config ARCH_DEFCONFIG
>  	string
> diff --git a/arch/um/Kconfig.common b/arch/um/Kconfig.common
> index 21ca44c..6915d28 100644
> --- a/arch/um/Kconfig.common
> +++ b/arch/um/Kconfig.common
> @@ -1,6 +1,7 @@
>  config UML
>  	bool
>  	default y
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_UID16
>  	select GENERIC_IRQ_SHOW
>  	select GENERIC_CPU_DEVICES
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 0af5250..2938365 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -127,6 +127,7 @@ config X86
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK if X86_64
>  	select HAVE_CC_STACKPROTECTOR
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config INSTRUCTION_DECODER
>  	def_bool y
> diff --git a/init/Kconfig b/init/Kconfig
> index 009a797..d4ec53d 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -282,9 +282,12 @@ config AUDIT
>  	  logging of avc messages output).  Does not do system-call
>  	  auditing without CONFIG_AUDITSYSCALL.
>  
> +config HAVE_ARCH_AUDITSYSCALL
> +	bool
> +
>  config AUDITSYSCALL
>  	bool "Enable system-call auditing support"
> -	depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML || SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> +	depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
>  	default y if SECURITY_SELINUX
>  	help
>  	  Enable low-overhead system-call auditing infrastructure that
> -- 
> 1.7.9.5
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Matt Turner]

On Tue, Feb 25, 2014 at 1:16 AM, AKASHI Takahiro
<takahiro.akashi@linaro.org> wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
>                 SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/alpha/Kconfig     |    1 +
>  arch/arm/Kconfig       |    1 +
>  arch/ia64/Kconfig      |    1 +
>  arch/parisc/Kconfig    |    1 +
>  arch/powerpc/Kconfig   |    1 +
>  arch/s390/Kconfig      |    1 +
>  arch/sh/Kconfig        |    1 +
>  arch/sparc/Kconfig     |    1 +
>  arch/um/Kconfig.common |    1 +
>  arch/x86/Kconfig       |    1 +
>  init/Kconfig           |    5 ++++-
>  11 files changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
> index f6c6b34..b7ff9a3 100644
> --- a/arch/alpha/Kconfig
> +++ b/arch/alpha/Kconfig
> @@ -22,6 +22,7 @@ config ALPHA
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_STRNCPY_FROM_USER
>         select GENERIC_STRNLEN_USER
> +       select HAVE_ARCH_AUDITSYSCALL
>         select HAVE_MOD_ARCH_SPECIFIC
>         select MODULES_USE_ELF_RELA
>         select ODD_RT_SIGACTION

Thanks.

Acked-by: Matt Turner <mattst88@gmail.com>

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Matt Turner]

On Tue, Feb 25, 2014 at 1:16 AM, AKASHI Takahiro
<takahiro.akashi@linaro.org> wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
>                 SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/alpha/Kconfig     |    1 +
>  arch/arm/Kconfig       |    1 +
>  arch/ia64/Kconfig      |    1 +
>  arch/parisc/Kconfig    |    1 +
>  arch/powerpc/Kconfig   |    1 +
>  arch/s390/Kconfig      |    1 +
>  arch/sh/Kconfig        |    1 +
>  arch/sparc/Kconfig     |    1 +
>  arch/um/Kconfig.common |    1 +
>  arch/x86/Kconfig       |    1 +
>  init/Kconfig           |    5 ++++-
>  11 files changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
> index f6c6b34..b7ff9a3 100644
> --- a/arch/alpha/Kconfig
> +++ b/arch/alpha/Kconfig
> @@ -22,6 +22,7 @@ config ALPHA
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_STRNCPY_FROM_USER
>         select GENERIC_STRNLEN_USER
> +       select HAVE_ARCH_AUDITSYSCALL
>         select HAVE_MOD_ARCH_SPECIFIC
>         select MODULES_USE_ELF_RELA
>         select ODD_RT_SIGACTION

Thanks.

Acked-by: Matt Turner <mattst88@gmail.com>

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Matt Turner]

On Tue, Feb 25, 2014 at 1:16 AM, AKASHI Takahiro
<takahiro.akashi@linaro.org> wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
>                 SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/alpha/Kconfig     |    1 +
>  arch/arm/Kconfig       |    1 +
>  arch/ia64/Kconfig      |    1 +
>  arch/parisc/Kconfig    |    1 +
>  arch/powerpc/Kconfig   |    1 +
>  arch/s390/Kconfig      |    1 +
>  arch/sh/Kconfig        |    1 +
>  arch/sparc/Kconfig     |    1 +
>  arch/um/Kconfig.common |    1 +
>  arch/x86/Kconfig       |    1 +
>  init/Kconfig           |    5 ++++-
>  11 files changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
> index f6c6b34..b7ff9a3 100644
> --- a/arch/alpha/Kconfig
> +++ b/arch/alpha/Kconfig
> @@ -22,6 +22,7 @@ config ALPHA
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_STRNCPY_FROM_USER
>         select GENERIC_STRNLEN_USER
> +       select HAVE_ARCH_AUDITSYSCALL
>         select HAVE_MOD_ARCH_SPECIFIC
>         select MODULES_USE_ELF_RELA
>         select ODD_RT_SIGACTION

Thanks.

Acked-by: Matt Turner <mattst88@gmail.com>

[PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Matt Turner]

On Tue, Feb 25, 2014 at 1:16 AM, AKASHI Takahiro
<takahiro.akashi@linaro.org> wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
>                 SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/alpha/Kconfig     |    1 +
>  arch/arm/Kconfig       |    1 +
>  arch/ia64/Kconfig      |    1 +
>  arch/parisc/Kconfig    |    1 +
>  arch/powerpc/Kconfig   |    1 +
>  arch/s390/Kconfig      |    1 +
>  arch/sh/Kconfig        |    1 +
>  arch/sparc/Kconfig     |    1 +
>  arch/um/Kconfig.common |    1 +
>  arch/x86/Kconfig       |    1 +
>  init/Kconfig           |    5 ++++-
>  11 files changed, 14 insertions(+), 1 deletion(-)
>
> diff --git a/arch/alpha/Kconfig b/arch/alpha/Kconfig
> index f6c6b34..b7ff9a3 100644
> --- a/arch/alpha/Kconfig
> +++ b/arch/alpha/Kconfig
> @@ -22,6 +22,7 @@ config ALPHA
>         select GENERIC_SMP_IDLE_THREAD
>         select GENERIC_STRNCPY_FROM_USER
>         select GENERIC_STRNLEN_USER
> +       select HAVE_ARCH_AUDITSYSCALL
>         select HAVE_MOD_ARCH_SPECIFIC
>         select MODULES_USE_ELF_RELA
>         select ODD_RT_SIGACTION

Thanks.

Acked-by: Matt Turner <mattst88@gmail.com>

Re: [PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

On 02/26/2014 12:00 AM, Will Deacon wrote:
> On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
>> Currently syscall_trace() is called only for ptrace.
>> With additional TIF_xx flags defined, it is now called in all the cases
>> of audit, ftrace and seccomp in addition to ptrace.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> ---
>>   arch/arm64/include/asm/thread_info.h |   13 ++++++++++
>>   arch/arm64/kernel/entry.S            |    5 ++--
>>   arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
>>   3 files changed, 38 insertions(+), 25 deletions(-)

[...]

>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6a8928b..c70133e 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>> -		return regs->syscallno;
>> -
>> -	if (is_compat_task()) {
>> -		/* AArch32 uses ip (r12) for scratch */
>> -		saved_reg = regs->regs[12];
>> -		regs->regs[12] = dir;
>> -	} else {
>> -		/*
>> -		 * Save X7. X7 is used to denote syscall entry/exit:
>> -		 *   X7 = 0 -> entry, = 1 -> exit
>> -		 */
>> -		saved_reg = regs->regs[7];
>> -		regs->regs[7] = dir;
>> -	}
>> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
>> +		if (is_compat_task()) {
>> +			/* AArch32 uses ip (r12) for scratch */
>> +			saved_reg = regs->regs[12];
>> +			regs->regs[12] = dir;
>> +		} else {
>> +			/*
>> +			 * Save X7. X7 is used to denote syscall entry/exit:
>> +			 *   X7 = 0 -> entry, = 1 -> exit
>> +			 */
>> +			saved_reg = regs->regs[7];
>> +			regs->regs[7] = dir;
>> +		}
>>
>> -	if (dir)
>> -		tracehook_report_syscall_exit(regs, 0);
>> -	else if (tracehook_report_syscall_entry(regs))
>> -		regs->syscallno = ~0UL;
>> +		if (dir)
>> +			tracehook_report_syscall_exit(regs, 0);
>> +		else if (tracehook_report_syscall_entry(regs))
>> +			regs->syscallno = ~0UL;
>>
>> -	if (is_compat_task())
>> -		regs->regs[12] = saved_reg;
>> -	else
>> -		regs->regs[7] = saved_reg;
>> +		if (is_compat_task())
>> +			regs->regs[12] = saved_reg;
>> +		else
>> +			regs->regs[7] = saved_reg;
>> +	}
>
> Aren't these changes (to ptrace.c) just a giant NOP?

Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set,
and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*()
later on.

-Takahiro AKASHI

> Will
>

Re: [PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

On 02/26/2014 12:00 AM, Will Deacon wrote:
> On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
>> Currently syscall_trace() is called only for ptrace.
>> With additional TIF_xx flags defined, it is now called in all the cases
>> of audit, ftrace and seccomp in addition to ptrace.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> ---
>>   arch/arm64/include/asm/thread_info.h |   13 ++++++++++
>>   arch/arm64/kernel/entry.S            |    5 ++--
>>   arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
>>   3 files changed, 38 insertions(+), 25 deletions(-)

[...]

>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6a8928b..c70133e 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>> -		return regs->syscallno;
>> -
>> -	if (is_compat_task()) {
>> -		/* AArch32 uses ip (r12) for scratch */
>> -		saved_reg = regs->regs[12];
>> -		regs->regs[12] = dir;
>> -	} else {
>> -		/*
>> -		 * Save X7. X7 is used to denote syscall entry/exit:
>> -		 *   X7 = 0 -> entry, = 1 -> exit
>> -		 */
>> -		saved_reg = regs->regs[7];
>> -		regs->regs[7] = dir;
>> -	}
>> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
>> +		if (is_compat_task()) {
>> +			/* AArch32 uses ip (r12) for scratch */
>> +			saved_reg = regs->regs[12];
>> +			regs->regs[12] = dir;
>> +		} else {
>> +			/*
>> +			 * Save X7. X7 is used to denote syscall entry/exit:
>> +			 *   X7 = 0 -> entry, = 1 -> exit
>> +			 */
>> +			saved_reg = regs->regs[7];
>> +			regs->regs[7] = dir;
>> +		}
>>
>> -	if (dir)
>> -		tracehook_report_syscall_exit(regs, 0);
>> -	else if (tracehook_report_syscall_entry(regs))
>> -		regs->syscallno = ~0UL;
>> +		if (dir)
>> +			tracehook_report_syscall_exit(regs, 0);
>> +		else if (tracehook_report_syscall_entry(regs))
>> +			regs->syscallno = ~0UL;
>>
>> -	if (is_compat_task())
>> -		regs->regs[12] = saved_reg;
>> -	else
>> -		regs->regs[7] = saved_reg;
>> +		if (is_compat_task())
>> +			regs->regs[12] = saved_reg;
>> +		else
>> +			regs->regs[7] = saved_reg;
>> +	}
>
> Aren't these changes (to ptrace.c) just a giant NOP?

Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set,
and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*()
later on.

-Takahiro AKASHI

> Will
>

[PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

On 02/26/2014 12:00 AM, Will Deacon wrote:
> On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
>> Currently syscall_trace() is called only for ptrace.
>> With additional TIF_xx flags defined, it is now called in all the cases
>> of audit, ftrace and seccomp in addition to ptrace.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> ---
>>   arch/arm64/include/asm/thread_info.h |   13 ++++++++++
>>   arch/arm64/kernel/entry.S            |    5 ++--
>>   arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
>>   3 files changed, 38 insertions(+), 25 deletions(-)

[...]

>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6a8928b..c70133e 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>> -		return regs->syscallno;
>> -
>> -	if (is_compat_task()) {
>> -		/* AArch32 uses ip (r12) for scratch */
>> -		saved_reg = regs->regs[12];
>> -		regs->regs[12] = dir;
>> -	} else {
>> -		/*
>> -		 * Save X7. X7 is used to denote syscall entry/exit:
>> -		 *   X7 = 0 -> entry, = 1 -> exit
>> -		 */
>> -		saved_reg = regs->regs[7];
>> -		regs->regs[7] = dir;
>> -	}
>> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
>> +		if (is_compat_task()) {
>> +			/* AArch32 uses ip (r12) for scratch */
>> +			saved_reg = regs->regs[12];
>> +			regs->regs[12] = dir;
>> +		} else {
>> +			/*
>> +			 * Save X7. X7 is used to denote syscall entry/exit:
>> +			 *   X7 = 0 -> entry, = 1 -> exit
>> +			 */
>> +			saved_reg = regs->regs[7];
>> +			regs->regs[7] = dir;
>> +		}
>>
>> -	if (dir)
>> -		tracehook_report_syscall_exit(regs, 0);
>> -	else if (tracehook_report_syscall_entry(regs))
>> -		regs->syscallno = ~0UL;
>> +		if (dir)
>> +			tracehook_report_syscall_exit(regs, 0);
>> +		else if (tracehook_report_syscall_entry(regs))
>> +			regs->syscallno = ~0UL;
>>
>> -	if (is_compat_task())
>> -		regs->regs[12] = saved_reg;
>> -	else
>> -		regs->regs[7] = saved_reg;
>> +		if (is_compat_task())
>> +			regs->regs[12] = saved_reg;
>> +		else
>> +			regs->regs[7] = saved_reg;
>> +	}
>
> Aren't these changes (to ptrace.c) just a giant NOP?

Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set,
and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*()
later on.

-Takahiro AKASHI

> Will
>

Re: [PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Wed, Feb 26, 2014 at 02:00:19AM +0000, AKASHI Takahiro wrote:
> On 02/26/2014 12:00 AM, Will Deacon wrote:
> > On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
> >> Currently syscall_trace() is called only for ptrace.
> >> With additional TIF_xx flags defined, it is now called in all the cases
> >> of audit, ftrace and seccomp in addition to ptrace.
> >>
> >> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> >> ---
> >>   arch/arm64/include/asm/thread_info.h |   13 ++++++++++
> >>   arch/arm64/kernel/entry.S            |    5 ++--
> >>   arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
> >>   3 files changed, 38 insertions(+), 25 deletions(-)
> 
> [...]
> 
> >> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> >> index 6a8928b..c70133e 100644
> >> --- a/arch/arm64/kernel/ptrace.c
> >> +++ b/arch/arm64/kernel/ptrace.c
> >> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
> >>   {
> >>   	unsigned long saved_reg;
> >>
> >> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> >> -		return regs->syscallno;
> >> -
> >> -	if (is_compat_task()) {
> >> -		/* AArch32 uses ip (r12) for scratch */
> >> -		saved_reg = regs->regs[12];
> >> -		regs->regs[12] = dir;
> >> -	} else {
> >> -		/*
> >> -		 * Save X7. X7 is used to denote syscall entry/exit:
> >> -		 *   X7 = 0 -> entry, = 1 -> exit
> >> -		 */
> >> -		saved_reg = regs->regs[7];
> >> -		regs->regs[7] = dir;
> >> -	}
> >> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
> >> +		if (is_compat_task()) {
> >> +			/* AArch32 uses ip (r12) for scratch */
> >> +			saved_reg = regs->regs[12];
> >> +			regs->regs[12] = dir;
> >> +		} else {
> >> +			/*
> >> +			 * Save X7. X7 is used to denote syscall entry/exit:
> >> +			 *   X7 = 0 -> entry, = 1 -> exit
> >> +			 */
> >> +			saved_reg = regs->regs[7];
> >> +			regs->regs[7] = dir;
> >> +		}
> >>
> >> -	if (dir)
> >> -		tracehook_report_syscall_exit(regs, 0);
> >> -	else if (tracehook_report_syscall_entry(regs))
> >> -		regs->syscallno = ~0UL;
> >> +		if (dir)
> >> +			tracehook_report_syscall_exit(regs, 0);
> >> +		else if (tracehook_report_syscall_entry(regs))
> >> +			regs->syscallno = ~0UL;
> >>
> >> -	if (is_compat_task())
> >> -		regs->regs[12] = saved_reg;
> >> -	else
> >> -		regs->regs[7] = saved_reg;
> >> +		if (is_compat_task())
> >> +			regs->regs[12] = saved_reg;
> >> +		else
> >> +			regs->regs[7] = saved_reg;
> >> +	}
> >
> > Aren't these changes (to ptrace.c) just a giant NOP?
> 
> Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set,
> and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*()
> later on.

The existing code already checks TIF_SYSCALL_TRACE. I'd rather you added
this new code when it's actually nedded (e.g. when adding audit on top).

Will

Re: [PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Wed, Feb 26, 2014 at 02:00:19AM +0000, AKASHI Takahiro wrote:
> On 02/26/2014 12:00 AM, Will Deacon wrote:
> > On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
> >> Currently syscall_trace() is called only for ptrace.
> >> With additional TIF_xx flags defined, it is now called in all the cases
> >> of audit, ftrace and seccomp in addition to ptrace.
> >>
> >> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> >> ---
> >>   arch/arm64/include/asm/thread_info.h |   13 ++++++++++
> >>   arch/arm64/kernel/entry.S            |    5 ++--
> >>   arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
> >>   3 files changed, 38 insertions(+), 25 deletions(-)
> 
> [...]
> 
> >> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> >> index 6a8928b..c70133e 100644
> >> --- a/arch/arm64/kernel/ptrace.c
> >> +++ b/arch/arm64/kernel/ptrace.c
> >> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
> >>   {
> >>   	unsigned long saved_reg;
> >>
> >> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> >> -		return regs->syscallno;
> >> -
> >> -	if (is_compat_task()) {
> >> -		/* AArch32 uses ip (r12) for scratch */
> >> -		saved_reg = regs->regs[12];
> >> -		regs->regs[12] = dir;
> >> -	} else {
> >> -		/*
> >> -		 * Save X7. X7 is used to denote syscall entry/exit:
> >> -		 *   X7 = 0 -> entry, = 1 -> exit
> >> -		 */
> >> -		saved_reg = regs->regs[7];
> >> -		regs->regs[7] = dir;
> >> -	}
> >> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
> >> +		if (is_compat_task()) {
> >> +			/* AArch32 uses ip (r12) for scratch */
> >> +			saved_reg = regs->regs[12];
> >> +			regs->regs[12] = dir;
> >> +		} else {
> >> +			/*
> >> +			 * Save X7. X7 is used to denote syscall entry/exit:
> >> +			 *   X7 = 0 -> entry, = 1 -> exit
> >> +			 */
> >> +			saved_reg = regs->regs[7];
> >> +			regs->regs[7] = dir;
> >> +		}
> >>
> >> -	if (dir)
> >> -		tracehook_report_syscall_exit(regs, 0);
> >> -	else if (tracehook_report_syscall_entry(regs))
> >> -		regs->syscallno = ~0UL;
> >> +		if (dir)
> >> +			tracehook_report_syscall_exit(regs, 0);
> >> +		else if (tracehook_report_syscall_entry(regs))
> >> +			regs->syscallno = ~0UL;
> >>
> >> -	if (is_compat_task())
> >> -		regs->regs[12] = saved_reg;
> >> -	else
> >> -		regs->regs[7] = saved_reg;
> >> +		if (is_compat_task())
> >> +			regs->regs[12] = saved_reg;
> >> +		else
> >> +			regs->regs[7] = saved_reg;
> >> +	}
> >
> > Aren't these changes (to ptrace.c) just a giant NOP?
> 
> Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set,
> and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*()
> later on.

The existing code already checks TIF_SYSCALL_TRACE. I'd rather you added
this new code when it's actually nedded (e.g. when adding audit on top).

Will

[PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Wed, Feb 26, 2014 at 02:00:19AM +0000, AKASHI Takahiro wrote:
> On 02/26/2014 12:00 AM, Will Deacon wrote:
> > On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
> >> Currently syscall_trace() is called only for ptrace.
> >> With additional TIF_xx flags defined, it is now called in all the cases
> >> of audit, ftrace and seccomp in addition to ptrace.
> >>
> >> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> >> ---
> >>   arch/arm64/include/asm/thread_info.h |   13 ++++++++++
> >>   arch/arm64/kernel/entry.S            |    5 ++--
> >>   arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
> >>   3 files changed, 38 insertions(+), 25 deletions(-)
> 
> [...]
> 
> >> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> >> index 6a8928b..c70133e 100644
> >> --- a/arch/arm64/kernel/ptrace.c
> >> +++ b/arch/arm64/kernel/ptrace.c
> >> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
> >>   {
> >>   	unsigned long saved_reg;
> >>
> >> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> >> -		return regs->syscallno;
> >> -
> >> -	if (is_compat_task()) {
> >> -		/* AArch32 uses ip (r12) for scratch */
> >> -		saved_reg = regs->regs[12];
> >> -		regs->regs[12] = dir;
> >> -	} else {
> >> -		/*
> >> -		 * Save X7. X7 is used to denote syscall entry/exit:
> >> -		 *   X7 = 0 -> entry, = 1 -> exit
> >> -		 */
> >> -		saved_reg = regs->regs[7];
> >> -		regs->regs[7] = dir;
> >> -	}
> >> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
> >> +		if (is_compat_task()) {
> >> +			/* AArch32 uses ip (r12) for scratch */
> >> +			saved_reg = regs->regs[12];
> >> +			regs->regs[12] = dir;
> >> +		} else {
> >> +			/*
> >> +			 * Save X7. X7 is used to denote syscall entry/exit:
> >> +			 *   X7 = 0 -> entry, = 1 -> exit
> >> +			 */
> >> +			saved_reg = regs->regs[7];
> >> +			regs->regs[7] = dir;
> >> +		}
> >>
> >> -	if (dir)
> >> -		tracehook_report_syscall_exit(regs, 0);
> >> -	else if (tracehook_report_syscall_entry(regs))
> >> -		regs->syscallno = ~0UL;
> >> +		if (dir)
> >> +			tracehook_report_syscall_exit(regs, 0);
> >> +		else if (tracehook_report_syscall_entry(regs))
> >> +			regs->syscallno = ~0UL;
> >>
> >> -	if (is_compat_task())
> >> -		regs->regs[12] = saved_reg;
> >> -	else
> >> -		regs->regs[7] = saved_reg;
> >> +		if (is_compat_task())
> >> +			regs->regs[12] = saved_reg;
> >> +		else
> >> +			regs->regs[7] = saved_reg;
> >> +	}
> >
> > Aren't these changes (to ptrace.c) just a giant NOP?
> 
> Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set,
> and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*()
> later on.

The existing code already checks TIF_SYSCALL_TRACE. I'd rather you added
this new code when it's actually nedded (e.g. when adding audit on top).

Will

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Michael Ellerman]

On Tue, 2014-02-25 at 18:16 +0900, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 957bf34..7b3b8fe 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -141,6 +141,7 @@ config PPC
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK
>  	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config GENERIC_CSUM
>  	def_bool CPU_LITTLE_ENDIAN

Looks good for powerpc.

Acked-by: Michael Ellerman <mpe@ellerman.id.au>

cheers

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Michael Ellerman]

On Tue, 2014-02-25 at 18:16 +0900, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 957bf34..7b3b8fe 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -141,6 +141,7 @@ config PPC
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK
>  	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config GENERIC_CSUM
>  	def_bool CPU_LITTLE_ENDIAN

Looks good for powerpc.

Acked-by: Michael Ellerman <mpe@ellerman.id.au>

cheers

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Michael Ellerman]

On Tue, 2014-02-25 at 18:16 +0900, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 957bf34..7b3b8fe 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -141,6 +141,7 @@ config PPC
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK
>  	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config GENERIC_CSUM
>  	def_bool CPU_LITTLE_ENDIAN

Looks good for powerpc.

Acked-by: Michael Ellerman <mpe@ellerman.id.au>

cheers

[PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Michael Ellerman]

On Tue, 2014-02-25 at 18:16 +0900, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 957bf34..7b3b8fe 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -141,6 +141,7 @@ config PPC
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK
>  	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config GENERIC_CSUM
>  	def_bool CPU_LITTLE_ENDIAN

Looks good for powerpc.

Acked-by: Michael Ellerman <mpe@ellerman.id.au>

cheers

Re: [PATCH v2 1/1] audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL

[Michael Ellerman]

On Tue, 2014-02-25 at 18:16 +0900, AKASHI Takahiro wrote:
> Currently AUDITSYSCALL has a long list of architecture depencency:
>        depends on AUDIT && (X86 || PARISC || PPC || S390 || IA64 || UML ||
> 		SPARC64 || SUPERH || (ARM && AEABI && !OABI_COMPAT) || ALPHA)
> The purpose of this patch is to replace it with HAVE_ARCH_AUDITSYSCALL
> for simplicity.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
> index 957bf34..7b3b8fe 100644
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -141,6 +141,7 @@ config PPC
>  	select HAVE_DEBUG_STACKOVERFLOW
>  	select HAVE_IRQ_EXIT_ON_IRQ_STACK
>  	select ARCH_USE_CMPXCHG_LOCKREF if PPC64
> +	select HAVE_ARCH_AUDITSYSCALL
>  
>  config GENERIC_CSUM
>  	def_bool CPU_LITTLE_ENDIAN

Looks good for powerpc.

Acked-by: Michael Ellerman <mpe@ellerman.id.au>

cheers


_______________________________________________
Linuxppc-dev mailing list
Linuxppc-dev@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/linuxppc-dev

Re: [PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

On 02/26/2014 08:25 PM, Will Deacon wrote:
> On Wed, Feb 26, 2014 at 02:00:19AM +0000, AKASHI Takahiro wrote:
>> On 02/26/2014 12:00 AM, Will Deacon wrote:
>>> On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
>>>> Currently syscall_trace() is called only for ptrace.
>>>> With additional TIF_xx flags defined, it is now called in all the cases
>>>> of audit, ftrace and seccomp in addition to ptrace.
>>>>
>>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>>>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>>>> ---
>>>>    arch/arm64/include/asm/thread_info.h |   13 ++++++++++
>>>>    arch/arm64/kernel/entry.S            |    5 ++--
>>>>    arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
>>>>    3 files changed, 38 insertions(+), 25 deletions(-)
>>
>> [...]
>>
>>>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>>>> index 6a8928b..c70133e 100644
>>>> --- a/arch/arm64/kernel/ptrace.c
>>>> +++ b/arch/arm64/kernel/ptrace.c
>>>> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>>>    {
>>>>    	unsigned long saved_reg;
>>>>
>>>> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>>>> -		return regs->syscallno;
>>>> -
>>>> -	if (is_compat_task()) {
>>>> -		/* AArch32 uses ip (r12) for scratch */
>>>> -		saved_reg = regs->regs[12];
>>>> -		regs->regs[12] = dir;
>>>> -	} else {
>>>> -		/*
>>>> -		 * Save X7. X7 is used to denote syscall entry/exit:
>>>> -		 *   X7 = 0 -> entry, = 1 -> exit
>>>> -		 */
>>>> -		saved_reg = regs->regs[7];
>>>> -		regs->regs[7] = dir;
>>>> -	}
>>>> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
>>>> +		if (is_compat_task()) {
>>>> +			/* AArch32 uses ip (r12) for scratch */
>>>> +			saved_reg = regs->regs[12];
>>>> +			regs->regs[12] = dir;
>>>> +		} else {
>>>> +			/*
>>>> +			 * Save X7. X7 is used to denote syscall entry/exit:
>>>> +			 *   X7 = 0 -> entry, = 1 -> exit
>>>> +			 */
>>>> +			saved_reg = regs->regs[7];
>>>> +			regs->regs[7] = dir;
>>>> +		}
>>>>
>>>> -	if (dir)
>>>> -		tracehook_report_syscall_exit(regs, 0);
>>>> -	else if (tracehook_report_syscall_entry(regs))
>>>> -		regs->syscallno = ~0UL;
>>>> +		if (dir)
>>>> +			tracehook_report_syscall_exit(regs, 0);
>>>> +		else if (tracehook_report_syscall_entry(regs))
>>>> +			regs->syscallno = ~0UL;
>>>>
>>>> -	if (is_compat_task())
>>>> -		regs->regs[12] = saved_reg;
>>>> -	else
>>>> -		regs->regs[7] = saved_reg;
>>>> +		if (is_compat_task())
>>>> +			regs->regs[12] = saved_reg;
>>>> +		else
>>>> +			regs->regs[7] = saved_reg;
>>>> +	}
>>>
>>> Aren't these changes (to ptrace.c) just a giant NOP?
>>
>> Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set,
>> and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*()
>> later on.
>
> The existing code already checks TIF_SYSCALL_TRACE. I'd rather you added
> this new code when it's actually nedded (e.g. when adding audit on top).

* This patch is required only if you really merge my audit and/or ftrace patch.
* Putting these changes in audit patch would impose an extra (unnecessary) dependency on ftrace patch.
* Putting them both in audit and ftrace patch would cause a conflict when applying both patches.

Even so, since I don't bother you on this minor issue, I will follow your comment and make changes on:
* arm64: make a single hook to syscall_trace() for all syscall features
* arm64: Add audit support
* arm64: Add ftrace support

-Takahiro AKASHI

> Will
>

Re: [PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

On 02/26/2014 08:25 PM, Will Deacon wrote:
> On Wed, Feb 26, 2014 at 02:00:19AM +0000, AKASHI Takahiro wrote:
>> On 02/26/2014 12:00 AM, Will Deacon wrote:
>>> On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
>>>> Currently syscall_trace() is called only for ptrace.
>>>> With additional TIF_xx flags defined, it is now called in all the cases
>>>> of audit, ftrace and seccomp in addition to ptrace.
>>>>
>>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>>>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>>>> ---
>>>>    arch/arm64/include/asm/thread_info.h |   13 ++++++++++
>>>>    arch/arm64/kernel/entry.S            |    5 ++--
>>>>    arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
>>>>    3 files changed, 38 insertions(+), 25 deletions(-)
>>
>> [...]
>>
>>>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>>>> index 6a8928b..c70133e 100644
>>>> --- a/arch/arm64/kernel/ptrace.c
>>>> +++ b/arch/arm64/kernel/ptrace.c
>>>> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>>>    {
>>>>    	unsigned long saved_reg;
>>>>
>>>> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>>>> -		return regs->syscallno;
>>>> -
>>>> -	if (is_compat_task()) {
>>>> -		/* AArch32 uses ip (r12) for scratch */
>>>> -		saved_reg = regs->regs[12];
>>>> -		regs->regs[12] = dir;
>>>> -	} else {
>>>> -		/*
>>>> -		 * Save X7. X7 is used to denote syscall entry/exit:
>>>> -		 *   X7 = 0 -> entry, = 1 -> exit
>>>> -		 */
>>>> -		saved_reg = regs->regs[7];
>>>> -		regs->regs[7] = dir;
>>>> -	}
>>>> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
>>>> +		if (is_compat_task()) {
>>>> +			/* AArch32 uses ip (r12) for scratch */
>>>> +			saved_reg = regs->regs[12];
>>>> +			regs->regs[12] = dir;
>>>> +		} else {
>>>> +			/*
>>>> +			 * Save X7. X7 is used to denote syscall entry/exit:
>>>> +			 *   X7 = 0 -> entry, = 1 -> exit
>>>> +			 */
>>>> +			saved_reg = regs->regs[7];
>>>> +			regs->regs[7] = dir;
>>>> +		}
>>>>
>>>> -	if (dir)
>>>> -		tracehook_report_syscall_exit(regs, 0);
>>>> -	else if (tracehook_report_syscall_entry(regs))
>>>> -		regs->syscallno = ~0UL;
>>>> +		if (dir)
>>>> +			tracehook_report_syscall_exit(regs, 0);
>>>> +		else if (tracehook_report_syscall_entry(regs))
>>>> +			regs->syscallno = ~0UL;
>>>>
>>>> -	if (is_compat_task())
>>>> -		regs->regs[12] = saved_reg;
>>>> -	else
>>>> -		regs->regs[7] = saved_reg;
>>>> +		if (is_compat_task())
>>>> +			regs->regs[12] = saved_reg;
>>>> +		else
>>>> +			regs->regs[7] = saved_reg;
>>>> +	}
>>>
>>> Aren't these changes (to ptrace.c) just a giant NOP?
>>
>> Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set,
>> and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*()
>> later on.
>
> The existing code already checks TIF_SYSCALL_TRACE. I'd rather you added
> this new code when it's actually nedded (e.g. when adding audit on top).

* This patch is required only if you really merge my audit and/or ftrace patch.
* Putting these changes in audit patch would impose an extra (unnecessary) dependency on ftrace patch.
* Putting them both in audit and ftrace patch would cause a conflict when applying both patches.

Even so, since I don't bother you on this minor issue, I will follow your comment and make changes on:
* arm64: make a single hook to syscall_trace() for all syscall features
* arm64: Add audit support
* arm64: Add ftrace support

-Takahiro AKASHI

> Will
>

[PATCH v2 1/1] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

On 02/26/2014 08:25 PM, Will Deacon wrote:
> On Wed, Feb 26, 2014 at 02:00:19AM +0000, AKASHI Takahiro wrote:
>> On 02/26/2014 12:00 AM, Will Deacon wrote:
>>> On Tue, Feb 25, 2014 at 09:14:43AM +0000, AKASHI Takahiro wrote:
>>>> Currently syscall_trace() is called only for ptrace.
>>>> With additional TIF_xx flags defined, it is now called in all the cases
>>>> of audit, ftrace and seccomp in addition to ptrace.
>>>>
>>>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>>>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>>>> ---
>>>>    arch/arm64/include/asm/thread_info.h |   13 ++++++++++
>>>>    arch/arm64/kernel/entry.S            |    5 ++--
>>>>    arch/arm64/kernel/ptrace.c           |   45 +++++++++++++++++-----------------
>>>>    3 files changed, 38 insertions(+), 25 deletions(-)
>>
>> [...]
>>
>>>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>>>> index 6a8928b..c70133e 100644
>>>> --- a/arch/arm64/kernel/ptrace.c
>>>> +++ b/arch/arm64/kernel/ptrace.c
>>>> @@ -1062,31 +1062,30 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>>>>    {
>>>>    	unsigned long saved_reg;
>>>>
>>>> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>>>> -		return regs->syscallno;
>>>> -
>>>> -	if (is_compat_task()) {
>>>> -		/* AArch32 uses ip (r12) for scratch */
>>>> -		saved_reg = regs->regs[12];
>>>> -		regs->regs[12] = dir;
>>>> -	} else {
>>>> -		/*
>>>> -		 * Save X7. X7 is used to denote syscall entry/exit:
>>>> -		 *   X7 = 0 -> entry, = 1 -> exit
>>>> -		 */
>>>> -		saved_reg = regs->regs[7];
>>>> -		regs->regs[7] = dir;
>>>> -	}
>>>> +	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
>>>> +		if (is_compat_task()) {
>>>> +			/* AArch32 uses ip (r12) for scratch */
>>>> +			saved_reg = regs->regs[12];
>>>> +			regs->regs[12] = dir;
>>>> +		} else {
>>>> +			/*
>>>> +			 * Save X7. X7 is used to denote syscall entry/exit:
>>>> +			 *   X7 = 0 -> entry, = 1 -> exit
>>>> +			 */
>>>> +			saved_reg = regs->regs[7];
>>>> +			regs->regs[7] = dir;
>>>> +		}
>>>>
>>>> -	if (dir)
>>>> -		tracehook_report_syscall_exit(regs, 0);
>>>> -	else if (tracehook_report_syscall_entry(regs))
>>>> -		regs->syscallno = ~0UL;
>>>> +		if (dir)
>>>> +			tracehook_report_syscall_exit(regs, 0);
>>>> +		else if (tracehook_report_syscall_entry(regs))
>>>> +			regs->syscallno = ~0UL;
>>>>
>>>> -	if (is_compat_task())
>>>> -		regs->regs[12] = saved_reg;
>>>> -	else
>>>> -		regs->regs[7] = saved_reg;
>>>> +		if (is_compat_task())
>>>> +			regs->regs[12] = saved_reg;
>>>> +		else
>>>> +			regs->regs[7] = saved_reg;
>>>> +	}
>>>
>>> Aren't these changes (to ptrace.c) just a giant NOP?
>>
>> Umm, the purpose of this big "if" is to run the code only if TIF_SYSCALL_TRACE is set,
>> and to make it easy to add additional hooks, audit and ftrace, around tracehook_report_*()
>> later on.
>
> The existing code already checks TIF_SYSCALL_TRACE. I'd rather you added
> this new code when it's actually nedded (e.g. when adding audit on top).

* This patch is required only if you really merge my audit and/or ftrace patch.
* Putting these changes in audit patch would impose an extra (unnecessary) dependency on ftrace patch.
* Putting them both in audit and ftrace patch would cause a conflict when applying both patches.

Even so, since I don't bother you on this minor issue, I will follow your comment and make changes on:
* arm64: make a single hook to syscall_trace() for all syscall features
* arm64: Add audit support
* arm64: Add ftrace support

-Takahiro AKASHI

> Will
>

[PATCH v3 0/2] arm64: prerequisites for audit and ftrace

[AKASHI Takahiro]

This patchset contains some patches commonly used by audit and ftrace.

Patch [1/2] defines system call related TIF_* flags to add syscall_trace()
hooks, including ftrace, audit and seccomp, later.
Those features will be implemented in separate patchsets, but it's safe to
check for all TIF_* now because they can not be turned on anyway.

Patch [2/2] adds a function which returns a return value of system call.

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

Changes v2 -> v3:
* reverted a change in syscall_trace() in v1 [1/2]
* added "arm64: Add regs_return_value() in syscall.h" patch which was
  previously included in audit patch [2/2]

AKASHI Takahiro (2):
  arm64: make a single hook to syscall_trace() for all syscall features
  arm64: Add regs_return_value() in syscall.h

 arch/arm64/include/asm/ptrace.h      |    5 +++++
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 3 files changed, 21 insertions(+), 2 deletions(-)

-- 
1.7.9.5

[PATCH v3 0/2] arm64: prerequisites for audit and ftrace

[AKASHI Takahiro]

This patchset contains some patches commonly used by audit and ftrace.

Patch [1/2] defines system call related TIF_* flags to add syscall_trace()
hooks, including ftrace, audit and seccomp, later.
Those features will be implemented in separate patchsets, but it's safe to
check for all TIF_* now because they can not be turned on anyway.

Patch [2/2] adds a function which returns a return value of system call.

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

Changes v2 -> v3:
* reverted a change in syscall_trace() in v1 [1/2]
* added "arm64: Add regs_return_value() in syscall.h" patch which was
  previously included in audit patch [2/2]

AKASHI Takahiro (2):
  arm64: make a single hook to syscall_trace() for all syscall features
  arm64: Add regs_return_value() in syscall.h

 arch/arm64/include/asm/ptrace.h      |    5 +++++
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 3 files changed, 21 insertions(+), 2 deletions(-)

-- 
1.7.9.5

[PATCH v3 1/2] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 0d7b789..6d613cd 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -630,8 +630,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
-- 
1.7.9.5

[PATCH v3 1/2] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 0d7b789..6d613cd 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -630,8 +630,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
-- 
1.7.9.5

[PATCH v3 2/2] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v3 2/2] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v6 0/2] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "generic compat system call audit support" patch
* "__NR_* definitions for compat syscalls" patch from Catalin
* "make a single hook to syscall_trace() for all syscall features" patch
* "arm64: Add regs_return_value() in syscall.h" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

Changes v5 -> v6:
* removed and put "arm64: Add regs_return_value() in syscall.h" patch into
  a separate set
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v3 [1/2]

AKASHI Takahiro (2):
  arm64: Add audit support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++
 arch/arm64/kernel/ptrace.c       |   54 ++++++++++++++++++++++----------------
 include/uapi/linux/audit.h       |    1 +
 4 files changed, 49 insertions(+), 22 deletions(-)

-- 
1.7.9.5

[PATCH v6 0/2] arm64: Add audit support

[AKASHI Takahiro]

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "generic compat system call audit support" patch
* "__NR_* definitions for compat syscalls" patch from Catalin
* "make a single hook to syscall_trace() for all syscall features" patch
* "arm64: Add regs_return_value() in syscall.h" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

Changes v5 -> v6:
* removed and put "arm64: Add regs_return_value() in syscall.h" patch into
  a separate set
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v3 [1/2]

AKASHI Takahiro (2):
  arm64: Add audit support
  arm64: audit: Add audit hook in ptrace/syscall_trace

 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++
 arch/arm64/kernel/ptrace.c       |   54 ++++++++++++++++++++++----------------
 include/uapi/linux/audit.h       |    1 +
 4 files changed, 49 insertions(+), 22 deletions(-)

-- 
1.7.9.5

[PATCH v6 1/2] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 27bbcfc..aa47548 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -25,6 +25,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_DEBUG_BUGVERBOSE
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..6900183 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v6 1/2] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 27bbcfc..aa47548 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -25,6 +25,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_DEBUG_BUGVERBOSE
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 70ba9d4..6900183 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 
 static inline int syscall_get_nr(struct task_struct *task,
@@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
 1 file changed, 32 insertions(+), 22 deletions(-)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..d4ce70e 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1062,31 +1064,39 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
+	if (dir && test_thread_flag(TIF_SYSCALL_AUDIT))
+		audit_syscall_exit(regs);
+
+	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
+		if (is_compat_task()) {
+			/* AArch32 uses ip (r12) for scratch */
+			saved_reg = regs->regs[12];
+			regs->regs[12] = dir;
+		} else {
+			/*
+			 * Save X7. X7 is used to denote syscall entry/exit:
+			 *   X7 = 0 -> entry, = 1 -> exit
+			 */
+			saved_reg = regs->regs[7];
+			regs->regs[7] = dir;
+		}
 
-	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
-		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
-	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
-		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
-	}
+		if (dir)
+			tracehook_report_syscall_exit(regs, 0);
+		else if (tracehook_report_syscall_entry(regs))
+			regs->syscallno = ~0UL;
 
-	if (dir)
-		tracehook_report_syscall_exit(regs, 0);
-	else if (tracehook_report_syscall_entry(regs))
-		regs->syscallno = ~0UL;
+		if (is_compat_task())
+			regs->regs[12] = saved_reg;
+		else
+			regs->regs[7] = saved_reg;
+	}
 
-	if (is_compat_task())
-		regs->regs[12] = saved_reg;
-	else
-		regs->regs[7] = saved_reg;
+	if (!dir && test_thread_flag(TIF_SYSCALL_AUDIT))
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
 
 	return regs->syscallno;
 }
-- 
1.7.9.5

[PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
 1 file changed, 32 insertions(+), 22 deletions(-)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..d4ce70e 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1062,31 +1064,39 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
+	if (dir && test_thread_flag(TIF_SYSCALL_AUDIT))
+		audit_syscall_exit(regs);
+
+	if (test_thread_flag(TIF_SYSCALL_TRACE)) {
+		if (is_compat_task()) {
+			/* AArch32 uses ip (r12) for scratch */
+			saved_reg = regs->regs[12];
+			regs->regs[12] = dir;
+		} else {
+			/*
+			 * Save X7. X7 is used to denote syscall entry/exit:
+			 *   X7 = 0 -> entry, = 1 -> exit
+			 */
+			saved_reg = regs->regs[7];
+			regs->regs[7] = dir;
+		}
 
-	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
-		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
-	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
-		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
-	}
+		if (dir)
+			tracehook_report_syscall_exit(regs, 0);
+		else if (tracehook_report_syscall_entry(regs))
+			regs->syscallno = ~0UL;
 
-	if (dir)
-		tracehook_report_syscall_exit(regs, 0);
-	else if (tracehook_report_syscall_entry(regs))
-		regs->syscallno = ~0UL;
+		if (is_compat_task())
+			regs->regs[12] = saved_reg;
+		else
+			regs->regs[7] = saved_reg;
+	}
 
-	if (is_compat_task())
-		regs->regs[12] = saved_reg;
-	else
-		regs->regs[7] = saved_reg;
+	if (!dir && test_thread_flag(TIF_SYSCALL_AUDIT))
+		audit_syscall_entry(syscall_get_arch(current, regs),
+			(int)regs->syscallno,
+			regs->orig_x0, regs->regs[1],
+			regs->regs[2], regs->regs[3]);
 
 	return regs->syscallno;
 }
-- 
1.7.9.5

Re: [PATCH v3 1/2] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Fri, Feb 28, 2014 at 05:14:24AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags defined, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v3 1/2] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Fri, Feb 28, 2014 at 05:14:24AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags defined, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

[PATCH v3 1/2] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Fri, Feb 28, 2014 at 05:14:24AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags defined, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[Will Deacon]

On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
>  1 file changed, 32 insertions(+), 22 deletions(-)

I think you need to do something like I did for arch/arm/, where we have
separate trace functions for entry/exit to make sure that we invoke the
various helpers in the correct order (for example, you want to invoke all
the debug stuff *first* on entry, but *last* on exit).

Will

Re: [PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[Will Deacon]

On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
>  1 file changed, 32 insertions(+), 22 deletions(-)

I think you need to do something like I did for arch/arm/, where we have
separate trace functions for entry/exit to make sure that we invoke the
various helpers in the correct order (for example, you want to invoke all
the debug stuff *first* on entry, but *last* on exit).

Will

[PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[Will Deacon]

On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
>  1 file changed, 32 insertions(+), 22 deletions(-)

I think you need to do something like I did for arch/arm/, where we have
separate trace functions for entry/exit to make sure that we invoke the
various helpers in the correct order (for example, you want to invoke all
the debug stuff *first* on entry, but *last* on exit).

Will

Re: [PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[Richard Guy Briggs]

On 14/02/28, Will Deacon wrote:
> On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
> > This patch adds auditing functions on entry to or exit from
> > every system call invocation.
> > 
> > Acked-by: Richard Guy Briggs <rgb@redhat.com>
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >  arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
> >  1 file changed, 32 insertions(+), 22 deletions(-)
> 
> I think you need to do something like I did for arch/arm/, where we have
> separate trace functions for entry/exit to make sure that we invoke the
> various helpers in the correct order (for example, you want to invoke all
> the debug stuff *first* on entry, but *last* on exit).

I'd have to agree.  I've just had my head deep in audit_syscall_entry()
and syscall_get_arch to clean them up.  Since current is only ever fed
to syscall_get_arch() and regs is never used by syscall_get_arch(), I'm
looking at dropping both from the syscall_get_arch() args list, but
leave syscall_get_arch() as you have it for now.

> Will

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[Richard Guy Briggs]

On 14/02/28, Will Deacon wrote:
> On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
> > This patch adds auditing functions on entry to or exit from
> > every system call invocation.
> > 
> > Acked-by: Richard Guy Briggs <rgb@redhat.com>
> > Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> > ---
> >  arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
> >  1 file changed, 32 insertions(+), 22 deletions(-)
> 
> I think you need to do something like I did for arch/arm/, where we have
> separate trace functions for entry/exit to make sure that we invoke the
> various helpers in the correct order (for example, you want to invoke all
> the debug stuff *first* on entry, but *last* on exit).

I'd have to agree.  I've just had my head deep in audit_syscall_entry()
and syscall_get_arch to clean them up.  Since current is only ever fed
to syscall_get_arch() and regs is never used by syscall_get_arch(), I'm
looking at dropping both from the syscall_get_arch() args list, but
leave syscall_get_arch() as you have it for now.

> Will

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v6 1/2] arm64: Add audit support

[Richard Guy Briggs]

On 14/02/28, AKASHI Takahiro wrote:
> On AArch64, audit is supported through generic lib/audit.c and
> compat_audit.c, and so this patch adds arch specific definitions required.
> 
> Acked-by Will Deacon <will.deacon@arm.com>
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/Kconfig               |    1 +
>  arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>  include/uapi/linux/audit.h       |    1 +
>  3 files changed, 17 insertions(+)
> 
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 27bbcfc..aa47548 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -25,6 +25,7 @@ config ARM64
>  	select GENERIC_STRNLEN_USER
>  	select GENERIC_TIME_VSYSCALL
>  	select HARDIRQS_SW_RESEND
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_ARCH_JUMP_LABEL
>  	select HAVE_ARCH_TRACEHOOK
>  	select HAVE_DEBUG_BUGVERBOSE
> diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
> index 70ba9d4..6900183 100644
> --- a/arch/arm64/include/asm/syscall.h
> +++ b/arch/arm64/include/asm/syscall.h
> @@ -16,7 +16,9 @@
>  #ifndef __ASM_SYSCALL_H
>  #define __ASM_SYSCALL_H
>  
> +#include <linux/audit.h>

This could be changed to <uapi/linux/audit.h> to pick up the
AUDIT_ARCH_* definitions needed and not any of the audit kernel
funcitons.

>  #include <linux/err.h>
> +#include <asm/compat.h>
>  
>  
>  static inline int syscall_get_nr(struct task_struct *task,
> @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
>  	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
>  }
>  
> +/*
> + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
> + * AArch64 has the same system calls both on little- and big- endian.
> + */
> +static inline int syscall_get_arch(struct task_struct *task,
> +				   struct pt_regs *regs)
> +{
> +	if (is_compat_thread(task_thread_info(task)))
> +		return AUDIT_ARCH_ARM;
> +
> +	return AUDIT_ARCH_AARCH64;
> +}
> +
>  #endif	/* __ASM_SYSCALL_H */
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 624df43..aa86fab 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -333,6 +333,7 @@ enum {
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> -- 
> 1.7.9.5
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v6 1/2] arm64: Add audit support

[Richard Guy Briggs]

On 14/02/28, AKASHI Takahiro wrote:
> On AArch64, audit is supported through generic lib/audit.c and
> compat_audit.c, and so this patch adds arch specific definitions required.
> 
> Acked-by Will Deacon <will.deacon@arm.com>
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/Kconfig               |    1 +
>  arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>  include/uapi/linux/audit.h       |    1 +
>  3 files changed, 17 insertions(+)
> 
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 27bbcfc..aa47548 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -25,6 +25,7 @@ config ARM64
>  	select GENERIC_STRNLEN_USER
>  	select GENERIC_TIME_VSYSCALL
>  	select HARDIRQS_SW_RESEND
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_ARCH_JUMP_LABEL
>  	select HAVE_ARCH_TRACEHOOK
>  	select HAVE_DEBUG_BUGVERBOSE
> diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
> index 70ba9d4..6900183 100644
> --- a/arch/arm64/include/asm/syscall.h
> +++ b/arch/arm64/include/asm/syscall.h
> @@ -16,7 +16,9 @@
>  #ifndef __ASM_SYSCALL_H
>  #define __ASM_SYSCALL_H
>  
> +#include <linux/audit.h>

This could be changed to <uapi/linux/audit.h> to pick up the
AUDIT_ARCH_* definitions needed and not any of the audit kernel
funcitons.

>  #include <linux/err.h>
> +#include <asm/compat.h>
>  
>  
>  static inline int syscall_get_nr(struct task_struct *task,
> @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
>  	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
>  }
>  
> +/*
> + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
> + * AArch64 has the same system calls both on little- and big- endian.
> + */
> +static inline int syscall_get_arch(struct task_struct *task,
> +				   struct pt_regs *regs)
> +{
> +	if (is_compat_thread(task_thread_info(task)))
> +		return AUDIT_ARCH_ARM;
> +
> +	return AUDIT_ARCH_AARCH64;
> +}
> +
>  #endif	/* __ASM_SYSCALL_H */
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 624df43..aa86fab 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -333,6 +333,7 @@ enum {
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> -- 
> 1.7.9.5
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v6 1/2] arm64: Add audit support

[Richard Guy Briggs]

On 14/02/28, AKASHI Takahiro wrote:
> On AArch64, audit is supported through generic lib/audit.c and
> compat_audit.c, and so this patch adds arch specific definitions required.
> 
> Acked-by Will Deacon <will.deacon@arm.com>
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/Kconfig               |    1 +
>  arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>  include/uapi/linux/audit.h       |    1 +
>  3 files changed, 17 insertions(+)
> 
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 27bbcfc..aa47548 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -25,6 +25,7 @@ config ARM64
>  	select GENERIC_STRNLEN_USER
>  	select GENERIC_TIME_VSYSCALL
>  	select HARDIRQS_SW_RESEND
> +	select HAVE_ARCH_AUDITSYSCALL
>  	select HAVE_ARCH_JUMP_LABEL
>  	select HAVE_ARCH_TRACEHOOK
>  	select HAVE_DEBUG_BUGVERBOSE
> diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
> index 70ba9d4..6900183 100644
> --- a/arch/arm64/include/asm/syscall.h
> +++ b/arch/arm64/include/asm/syscall.h
> @@ -16,7 +16,9 @@
>  #ifndef __ASM_SYSCALL_H
>  #define __ASM_SYSCALL_H
>  
> +#include <linux/audit.h>

This could be changed to <uapi/linux/audit.h> to pick up the
AUDIT_ARCH_* definitions needed and not any of the audit kernel
funcitons.

>  #include <linux/err.h>
> +#include <asm/compat.h>
>  
>  
>  static inline int syscall_get_nr(struct task_struct *task,
> @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
>  	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
>  }
>  
> +/*
> + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
> + * AArch64 has the same system calls both on little- and big- endian.
> + */
> +static inline int syscall_get_arch(struct task_struct *task,
> +				   struct pt_regs *regs)
> +{
> +	if (is_compat_thread(task_thread_info(task)))
> +		return AUDIT_ARCH_ARM;
> +
> +	return AUDIT_ARCH_AARCH64;
> +}
> +
>  #endif	/* __ASM_SYSCALL_H */
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 624df43..aa86fab 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -333,6 +333,7 @@ enum {
>  /* distinguish syscall tables */
>  #define __AUDIT_ARCH_64BIT 0x80000000
>  #define __AUDIT_ARCH_LE	   0x40000000
> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>  #define AUDIT_ARCH_ARMEB	(EM_ARM)
> -- 
> 1.7.9.5
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

On 03/01/2014 01:15 AM, Will Deacon wrote:
> On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
>> This patch adds auditing functions on entry to or exit from
>> every system call invocation.
>>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
>>   1 file changed, 32 insertions(+), 22 deletions(-)
>
> I think you need to do something like I did for arch/arm/, where we have
> separate trace functions for entry/exit  to make sure that we invoke the
> various helpers in the correct order (for example, you want to invoke all
> the debug stuff *first* on entry, but *last* on exit).
>
> Will
>

If you mean syscall_trace_enter()/exit(), I will follow your suggestion
for readability.

-Takahiro AKASHI

Re: [PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

On 03/01/2014 01:15 AM, Will Deacon wrote:
> On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
>> This patch adds auditing functions on entry to or exit from
>> every system call invocation.
>>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
>>   1 file changed, 32 insertions(+), 22 deletions(-)
>
> I think you need to do something like I did for arch/arm/, where we have
> separate trace functions for entry/exit  to make sure that we invoke the
> various helpers in the correct order (for example, you want to invoke all
> the debug stuff *first* on entry, but *last* on exit).
>
> Will
>

If you mean syscall_trace_enter()/exit(), I will follow your suggestion
for readability.

-Takahiro AKASHI

[PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[AKASHI Takahiro]

On 03/01/2014 01:15 AM, Will Deacon wrote:
> On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
>> This patch adds auditing functions on entry to or exit from
>> every system call invocation.
>>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
>>   1 file changed, 32 insertions(+), 22 deletions(-)
>
> I think you need to do something like I did for arch/arm/, where we have
> separate trace functions for entry/exit  to make sure that we invoke the
> various helpers in the correct order (for example, you want to invoke all
> the debug stuff *first* on entry, but *last* on exit).
>
> Will
>

If you mean syscall_trace_enter()/exit(), I will follow your suggestion
for readability.

-Takahiro AKASHI

Re: [PATCH v6 1/2] arm64: Add audit support

[AKASHI Takahiro]

On 03/05/2014 11:50 AM, Richard Guy Briggs wrote:
> On 14/02/28, AKASHI Takahiro wrote:
>> On AArch64, audit is supported through generic lib/audit.c and
>> compat_audit.c, and so this patch adds arch specific definitions required.
>>
>> Acked-by Will Deacon <will.deacon@arm.com>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/Kconfig               |    1 +
>>   arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>>   include/uapi/linux/audit.h       |    1 +
>>   3 files changed, 17 insertions(+)
>>
>> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
>> index 27bbcfc..aa47548 100644
>> --- a/arch/arm64/Kconfig
>> +++ b/arch/arm64/Kconfig
>> @@ -25,6 +25,7 @@ config ARM64
>>   	select GENERIC_STRNLEN_USER
>>   	select GENERIC_TIME_VSYSCALL
>>   	select HARDIRQS_SW_RESEND
>> +	select HAVE_ARCH_AUDITSYSCALL
>>   	select HAVE_ARCH_JUMP_LABEL
>>   	select HAVE_ARCH_TRACEHOOK
>>   	select HAVE_DEBUG_BUGVERBOSE
>> diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
>> index 70ba9d4..6900183 100644
>> --- a/arch/arm64/include/asm/syscall.h
>> +++ b/arch/arm64/include/asm/syscall.h
>> @@ -16,7 +16,9 @@
>>   #ifndef __ASM_SYSCALL_H
>>   #define __ASM_SYSCALL_H
>>
>> +#include <linux/audit.h>
>
> This could be changed to <uapi/linux/audit.h> to pick up the
> AUDIT_ARCH_* definitions needed and not any of the audit kernel
> funcitons.

I will fix it in the next version.

Thank you,
-Takahiro AKASHI

>>   #include <linux/err.h>
>> +#include <asm/compat.h>
>>
>>
>>   static inline int syscall_get_nr(struct task_struct *task,
>> @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>   	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
>>   }
>>
>> +/*
>> + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
>> + * AArch64 has the same system calls both on little- and big- endian.
>> + */
>> +static inline int syscall_get_arch(struct task_struct *task,
>> +				   struct pt_regs *regs)
>> +{
>> +	if (is_compat_thread(task_thread_info(task)))
>> +		return AUDIT_ARCH_ARM;
>> +
>> +	return AUDIT_ARCH_AARCH64;
>> +}
>> +
>>   #endif	/* __ASM_SYSCALL_H */
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 624df43..aa86fab 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -333,6 +333,7 @@ enum {
>>   /* distinguish syscall tables */
>>   #define __AUDIT_ARCH_64BIT 0x80000000
>>   #define __AUDIT_ARCH_LE	   0x40000000
>> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
>> --
>> 1.7.9.5
>>
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>

[PATCH v6 1/2] arm64: Add audit support

[AKASHI Takahiro]

On 03/05/2014 11:50 AM, Richard Guy Briggs wrote:
> On 14/02/28, AKASHI Takahiro wrote:
>> On AArch64, audit is supported through generic lib/audit.c and
>> compat_audit.c, and so this patch adds arch specific definitions required.
>>
>> Acked-by Will Deacon <will.deacon@arm.com>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/Kconfig               |    1 +
>>   arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
>>   include/uapi/linux/audit.h       |    1 +
>>   3 files changed, 17 insertions(+)
>>
>> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
>> index 27bbcfc..aa47548 100644
>> --- a/arch/arm64/Kconfig
>> +++ b/arch/arm64/Kconfig
>> @@ -25,6 +25,7 @@ config ARM64
>>   	select GENERIC_STRNLEN_USER
>>   	select GENERIC_TIME_VSYSCALL
>>   	select HARDIRQS_SW_RESEND
>> +	select HAVE_ARCH_AUDITSYSCALL
>>   	select HAVE_ARCH_JUMP_LABEL
>>   	select HAVE_ARCH_TRACEHOOK
>>   	select HAVE_DEBUG_BUGVERBOSE
>> diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
>> index 70ba9d4..6900183 100644
>> --- a/arch/arm64/include/asm/syscall.h
>> +++ b/arch/arm64/include/asm/syscall.h
>> @@ -16,7 +16,9 @@
>>   #ifndef __ASM_SYSCALL_H
>>   #define __ASM_SYSCALL_H
>>
>> +#include <linux/audit.h>
>
> This could be changed to <uapi/linux/audit.h> to pick up the
> AUDIT_ARCH_* definitions needed and not any of the audit kernel
> funcitons.

I will fix it in the next version.

Thank you,
-Takahiro AKASHI

>>   #include <linux/err.h>
>> +#include <asm/compat.h>
>>
>>
>>   static inline int syscall_get_nr(struct task_struct *task,
>> @@ -104,4 +106,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
>>   	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
>>   }
>>
>> +/*
>> + * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
>> + * AArch64 has the same system calls both on little- and big- endian.
>> + */
>> +static inline int syscall_get_arch(struct task_struct *task,
>> +				   struct pt_regs *regs)
>> +{
>> +	if (is_compat_thread(task_thread_info(task)))
>> +		return AUDIT_ARCH_ARM;
>> +
>> +	return AUDIT_ARCH_AARCH64;
>> +}
>> +
>>   #endif	/* __ASM_SYSCALL_H */
>> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> index 624df43..aa86fab 100644
>> --- a/include/uapi/linux/audit.h
>> +++ b/include/uapi/linux/audit.h
>> @@ -333,6 +333,7 @@ enum {
>>   /* distinguish syscall tables */
>>   #define __AUDIT_ARCH_64BIT 0x80000000
>>   #define __AUDIT_ARCH_LE	   0x40000000
>> +#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
>>   #define AUDIT_ARCH_ARMEB	(EM_ARM)
>> --
>> 1.7.9.5
>>
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs@redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
>

Re: [PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[Richard Guy Briggs]

On 14/03/06, AKASHI Takahiro wrote:
> On 03/01/2014 01:15 AM, Will Deacon wrote:
> >On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
> >>This patch adds auditing functions on entry to or exit from
> >>every system call invocation.
> >>
> >>Acked-by: Richard Guy Briggs <rgb@redhat.com>
> >>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>---
> >>  arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
> >>  1 file changed, 32 insertions(+), 22 deletions(-)
> >
> >I think you need to do something like I did for arch/arm/, where we have
> >separate trace functions for entry/exit  to make sure that we invoke the
> >various helpers in the correct order (for example, you want to invoke all
> >the debug stuff *first* on entry, but *last* on exit).
> >
> >Will
> 
> If you mean syscall_trace_enter()/exit(), I will follow your suggestion
> for readability.

It isn't so much a question of readability, but rather correctness,
undoing operations in the opposite order on exit that they were done on
entry.

> -Takahiro AKASHI

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[Richard Guy Briggs]

On 14/03/06, AKASHI Takahiro wrote:
> On 03/01/2014 01:15 AM, Will Deacon wrote:
> >On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
> >>This patch adds auditing functions on entry to or exit from
> >>every system call invocation.
> >>
> >>Acked-by: Richard Guy Briggs <rgb@redhat.com>
> >>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>---
> >>  arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
> >>  1 file changed, 32 insertions(+), 22 deletions(-)
> >
> >I think you need to do something like I did for arch/arm/, where we have
> >separate trace functions for entry/exit  to make sure that we invoke the
> >various helpers in the correct order (for example, you want to invoke all
> >the debug stuff *first* on entry, but *last* on exit).
> >
> >Will
> 
> If you mean syscall_trace_enter()/exit(), I will follow your suggestion
> for readability.

It isn't so much a question of readability, but rather correctness,
undoing operations in the opposite order on exit that they were done on
entry.

> -Takahiro AKASHI

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v6 2/2] arm64: audit: Add audit hook in ptrace/syscall_trace

[Richard Guy Briggs]

On 14/03/06, AKASHI Takahiro wrote:
> On 03/01/2014 01:15 AM, Will Deacon wrote:
> >On Fri, Feb 28, 2014 at 05:17:15AM +0000, AKASHI Takahiro wrote:
> >>This patch adds auditing functions on entry to or exit from
> >>every system call invocation.
> >>
> >>Acked-by: Richard Guy Briggs <rgb@redhat.com>
> >>Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> >>---
> >>  arch/arm64/kernel/ptrace.c |   54 ++++++++++++++++++++++++++------------------
> >>  1 file changed, 32 insertions(+), 22 deletions(-)
> >
> >I think you need to do something like I did for arch/arm/, where we have
> >separate trace functions for entry/exit  to make sure that we invoke the
> >various helpers in the correct order (for example, you want to invoke all
> >the debug stuff *first* on entry, but *last* on exit).
> >
> >Will
> 
> If you mean syscall_trace_enter()/exit(), I will follow your suggestion
> for readability.

It isn't so much a question of readability, but rather correctness,
undoing operations in the opposite order on exit that they were done on
entry.

> -Takahiro AKASHI

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v4 0/3] arm64: prerequisites for audit and ftrace

[AKASHI Takahiro]

This patchset contains some patches commonly applied for audit and ftrace.

Patch [1/3] defines syscall trace related TIF_* flags in order to add hooks,
including ftrace, audit and seccomp, later on.  Those features will be
implemented in separate patchsets, but it's safe to check for all TIF_*
now because they can not be turned on anyway.

Patch [2/3] doesn't change a behavior but make it easy and manageable to
confirm we invoke those hooks in correct order by splitting syscall_trace().

Patch [3/3] adds a commonly used function, which returns a return value of
system call.

Changes v3 -> v4:
* added "arm64: split syscall_trace() into separate functions for enter/
  exit", which is just a preparation for adding syscall trace hooks later.

Changes v2 -> v3:
* reverted a change in syscall_trace() in v1 [1/2]
* added "arm64: Add regs_return_value() in syscall.h" patch which was
  previously included in audit patch [2/2]

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

AKASHI Takahiro (3):
  arm64: make a single hook to syscall_trace() for all syscall features
  arm64: split syscall_trace() into separate functions for enter/exit
  arm64: Add regs_return_value() in syscall.h

 arch/arm64/include/asm/ptrace.h      |    5 ++++
 arch/arm64/include/asm/thread_info.h |   13 +++++++++
 arch/arm64/kernel/entry.S            |   15 +++++------
 arch/arm64/kernel/ptrace.c           |   48 ++++++++++++++++++++++++++--------
 4 files changed, 62 insertions(+), 19 deletions(-)

-- 
1.7.9.5

[PATCH v4 0/3] arm64: prerequisites for audit and ftrace

[AKASHI Takahiro]

This patchset contains some patches commonly applied for audit and ftrace.

Patch [1/3] defines syscall trace related TIF_* flags in order to add hooks,
including ftrace, audit and seccomp, later on.  Those features will be
implemented in separate patchsets, but it's safe to check for all TIF_*
now because they can not be turned on anyway.

Patch [2/3] doesn't change a behavior but make it easy and manageable to
confirm we invoke those hooks in correct order by splitting syscall_trace().

Patch [3/3] adds a commonly used function, which returns a return value of
system call.

Changes v3 -> v4:
* added "arm64: split syscall_trace() into separate functions for enter/
  exit", which is just a preparation for adding syscall trace hooks later.

Changes v2 -> v3:
* reverted a change in syscall_trace() in v1 [1/2]
* added "arm64: Add regs_return_value() in syscall.h" patch which was
  previously included in audit patch [2/2]

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

AKASHI Takahiro (3):
  arm64: make a single hook to syscall_trace() for all syscall features
  arm64: split syscall_trace() into separate functions for enter/exit
  arm64: Add regs_return_value() in syscall.h

 arch/arm64/include/asm/ptrace.h      |    5 ++++
 arch/arm64/include/asm/thread_info.h |   13 +++++++++
 arch/arm64/kernel/entry.S            |   15 +++++------
 arch/arm64/kernel/ptrace.c           |   48 ++++++++++++++++++++++++++--------
 4 files changed, 62 insertions(+), 19 deletions(-)

-- 
1.7.9.5

[PATCH v4 1/3] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 39ac630..f9f2cae 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
-- 
1.7.9.5

[PATCH v4 1/3] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 39ac630..f9f2cae 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
-- 
1.7.9.5

[PATCH v4 2/3] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

As done in arm, this change makes it easy to confirm we invoke syscall
related hooks, including syscall tracepoint, audit and seccomp which would
be implemented later, in correct order. That is, undoing operations in the
opposite order on exit that they were done on entry.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/entry.S  |   10 ++++-----
 arch/arm64/kernel/ptrace.c |   48 ++++++++++++++++++++++++++++++++++----------
 2 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index f9f2cae..00d6eb9 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -649,9 +649,8 @@ ENDPROC(el0_svc)
 	 * switches, and waiting for our parent to respond.
 	 */
 __sys_trace:
-	mov	x1, sp
-	mov	w0, #0				// trace entry
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_enter
 	adr	lr, __sys_trace_return		// return address
 	uxtw	scno, w0			// syscall number (possibly new)
 	mov	x1, sp				// pointer to regs
@@ -666,9 +665,8 @@ __sys_trace:
 
 __sys_trace_return:
 	str	x0, [sp]			// save returned x0
-	mov	x1, sp
-	mov	w0, #1				// trace exit
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_exit
 	b	ret_to_user
 
 /*
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..9993a8f 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request,
 	return ptrace_request(child, request, addr, data);
 }
 
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
+asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
 		return regs->syscallno;
 
+	/*
+	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
+	 * used to denote syscall entry/exit:
+	 *   0 -> entry
+	 */
 	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
 		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
+		regs->regs[12] = 0;
 	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
 		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
+		regs->regs[7] = 0;
 	}
 
-	if (dir)
-		tracehook_report_syscall_exit(regs, 0);
-	else if (tracehook_report_syscall_entry(regs))
+	if (tracehook_report_syscall_entry(regs))
 		regs->syscallno = ~0UL;
 
 	if (is_compat_task())
@@ -1090,3 +1088,31 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 
 	return regs->syscallno;
 }
+
+asmlinkage void syscall_trace_exit(struct pt_regs *regs)
+{
+	unsigned long saved_reg;
+
+	if (!test_thread_flag(TIF_SYSCALL_TRACE))
+		return;
+
+	/*
+	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
+	 * used to denote syscall entry/exit:
+	 *   1 -> exit
+	 */
+	if (is_compat_task()) {
+		saved_reg = regs->regs[12];
+		regs->regs[12] = 1;
+	} else {
+		saved_reg = regs->regs[7];
+		regs->regs[7] = 1;
+	}
+
+	tracehook_report_syscall_exit(regs, 0);
+
+	if (is_compat_task())
+		regs->regs[12] = saved_reg;
+	else
+		regs->regs[7] = saved_reg;
+}
-- 
1.7.9.5

[PATCH v4 2/3] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

As done in arm, this change makes it easy to confirm we invoke syscall
related hooks, including syscall tracepoint, audit and seccomp which would
be implemented later, in correct order. That is, undoing operations in the
opposite order on exit that they were done on entry.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/entry.S  |   10 ++++-----
 arch/arm64/kernel/ptrace.c |   48 ++++++++++++++++++++++++++++++++++----------
 2 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index f9f2cae..00d6eb9 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -649,9 +649,8 @@ ENDPROC(el0_svc)
 	 * switches, and waiting for our parent to respond.
 	 */
 __sys_trace:
-	mov	x1, sp
-	mov	w0, #0				// trace entry
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_enter
 	adr	lr, __sys_trace_return		// return address
 	uxtw	scno, w0			// syscall number (possibly new)
 	mov	x1, sp				// pointer to regs
@@ -666,9 +665,8 @@ __sys_trace:
 
 __sys_trace_return:
 	str	x0, [sp]			// save returned x0
-	mov	x1, sp
-	mov	w0, #1				// trace exit
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_exit
 	b	ret_to_user
 
 /*
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..9993a8f 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request,
 	return ptrace_request(child, request, addr, data);
 }
 
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
+asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
 		return regs->syscallno;
 
+	/*
+	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
+	 * used to denote syscall entry/exit:
+	 *   0 -> entry
+	 */
 	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
 		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
+		regs->regs[12] = 0;
 	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
 		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
+		regs->regs[7] = 0;
 	}
 
-	if (dir)
-		tracehook_report_syscall_exit(regs, 0);
-	else if (tracehook_report_syscall_entry(regs))
+	if (tracehook_report_syscall_entry(regs))
 		regs->syscallno = ~0UL;
 
 	if (is_compat_task())
@@ -1090,3 +1088,31 @@ asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
 
 	return regs->syscallno;
 }
+
+asmlinkage void syscall_trace_exit(struct pt_regs *regs)
+{
+	unsigned long saved_reg;
+
+	if (!test_thread_flag(TIF_SYSCALL_TRACE))
+		return;
+
+	/*
+	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
+	 * used to denote syscall entry/exit:
+	 *   1 -> exit
+	 */
+	if (is_compat_task()) {
+		saved_reg = regs->regs[12];
+		regs->regs[12] = 1;
+	} else {
+		saved_reg = regs->regs[7];
+		regs->regs[7] = 1;
+	}
+
+	tracehook_report_syscall_exit(regs, 0);
+
+	if (is_compat_task())
+		regs->regs[12] = saved_reg;
+	else
+		regs->regs[7] = saved_reg;
+}
-- 
1.7.9.5

[PATCH v4 3/3] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v4 3/3] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v7 0/2] arm64: Add audit support

[AKASHI Takahiro]

(Please apply this patch after my ftrace patch to resolve some conflict
on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "audit: generic compat system call audit support" patch
* "arm64: __NR_* definitions for compat syscalls" patch from Catalin
* "arm64: make a single hook to syscall_trace() for all syscall features" patch
* "arm64: split syscall_trace() into separate functions for enter/exit" patch
* "arm64: Add regs_return_value() in syscall.h" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v6 -> v7:
* changed an include file in syscall.h from <linux/audit.h> to
  <uapi/linux/audit.h> [1/2]
* aligned with the patch, "arm64: split syscall_trace() into separate
  functions for enter/exit" [2/2]

Changes v5 -> v6:
* removed and put "arm64: Add regs_return_value() in syscall.h" patch into
  a separate set
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v3 [1/2]

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

AKASHI Takahiro (2):
  arm64: Add audit support
  arm64: audit: Add audit hook in syscall_trace_enter/exit()

 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 arch/arm64/kernel/ptrace.c       |    7 +++++++
 include/uapi/linux/audit.h       |    1 +
 4 files changed, 24 insertions(+)

-- 
1.7.9.5

[PATCH v7 0/2] arm64: Add audit support

[AKASHI Takahiro]

(Please apply this patch after my ftrace patch to resolve some conflict
on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "audit: generic compat system call audit support" patch
* "arm64: __NR_* definitions for compat syscalls" patch from Catalin
* "arm64: make a single hook to syscall_trace() for all syscall features" patch
* "arm64: split syscall_trace() into separate functions for enter/exit" patch
* "arm64: Add regs_return_value() in syscall.h" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v6 -> v7:
* changed an include file in syscall.h from <linux/audit.h> to
  <uapi/linux/audit.h> [1/2]
* aligned with the patch, "arm64: split syscall_trace() into separate
  functions for enter/exit" [2/2]

Changes v5 -> v6:
* removed and put "arm64: Add regs_return_value() in syscall.h" patch into
  a separate set
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v3 [1/2]

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

AKASHI Takahiro (2):
  arm64: Add audit support
  arm64: audit: Add audit hook in syscall_trace_enter/exit()

 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 arch/arm64/kernel/ptrace.c       |    7 +++++++
 include/uapi/linux/audit.h       |    1 +
 4 files changed, 24 insertions(+)

-- 
1.7.9.5

[PATCH v7 1/2] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index b1dcdb4..7ca6799 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -25,6 +25,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_C_RECORDMCOUNT
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 383771e..ce3882f 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 extern const void *sys_call_table[];
 
@@ -105,4 +107,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v7 1/2] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |    1 +
 arch/arm64/include/asm/syscall.h |   15 +++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index b1dcdb4..7ca6799 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -25,6 +25,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_C_RECORDMCOUNT
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 383771e..ce3882f 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 extern const void *sys_call_table[];
 
@@ -105,4 +107,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v7 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 9c52b3e..d10c637 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1091,6 +1093,9 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_enter(regs, regs->syscallno);
 
+	audit_syscall_entry(syscall_get_arch(current, regs), regs->syscallno,
+		regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]);
+
 	return regs->syscallno;
 }
 
@@ -1098,6 +1103,8 @@ asmlinkage void syscall_trace_exit(struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+	audit_syscall_exit(regs);
+
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_exit(regs, regs_return_value(regs));
 
-- 
1.7.9.5

[PATCH v7 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 9c52b3e..d10c637 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
@@ -38,6 +39,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1091,6 +1093,9 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_enter(regs, regs->syscallno);
 
+	audit_syscall_entry(syscall_get_arch(current, regs), regs->syscallno,
+		regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]);
+
 	return regs->syscallno;
 }
 
@@ -1098,6 +1103,8 @@ asmlinkage void syscall_trace_exit(struct pt_regs *regs)
 {
 	unsigned long saved_reg;
 
+	audit_syscall_exit(regs);
+
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_exit(regs, regs_return_value(regs));
 
-- 
1.7.9.5

Re: [PATCH v4 1/3] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Thu, Mar 13, 2014 at 10:11:29AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags defined, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---

Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v4 1/3] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Thu, Mar 13, 2014 at 10:11:29AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags defined, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---

Acked-by: Will Deacon <will.deacon@arm.com>

Will

[PATCH v4 1/3] arm64: make a single hook to syscall_trace() for all syscall features

[Will Deacon]

On Thu, Mar 13, 2014 at 10:11:29AM +0000, AKASHI Takahiro wrote:
> Currently syscall_trace() is called only for ptrace.
> With additional TIF_xx flags defined, it is now called in all the cases
> of audit, ftrace and seccomp in addition to ptrace.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---

Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v4 2/3] arm64: split syscall_trace() into separate functions for enter/exit

[Will Deacon]

On Thu, Mar 13, 2014 at 10:11:30AM +0000, AKASHI Takahiro wrote:
> As done in arm, this change makes it easy to confirm we invoke syscall
> related hooks, including syscall tracepoint, audit and seccomp which would
> be implemented later, in correct order. That is, undoing operations in the
> opposite order on exit that they were done on entry.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/kernel/entry.S  |   10 ++++-----
>  arch/arm64/kernel/ptrace.c |   48 ++++++++++++++++++++++++++++++++++----------
>  2 files changed, 41 insertions(+), 17 deletions(-)

[...]

> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..9993a8f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request,
>  	return ptrace_request(child, request, addr, data);
>  }
>  
> -asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
> +asmlinkage int syscall_trace_enter(struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
>  	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>  		return regs->syscallno;
>  
> +	/*
> +	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
> +	 * used to denote syscall entry/exit:
> +	 *   0 -> entry
> +	 */

You could add an enum, like we have on ARM (ptrace_syscall_dir) for the two
directions.

>  	if (is_compat_task()) {
> -		/* AArch32 uses ip (r12) for scratch */
>  		saved_reg = regs->regs[12];
> -		regs->regs[12] = dir;
> +		regs->regs[12] = 0;
>  	} else {
> -		/*
> -		 * Save X7. X7 is used to denote syscall entry/exit:
> -		 *   X7 = 0 -> entry, = 1 -> exit
> -		 */
>  		saved_reg = regs->regs[7];
> -		regs->regs[7] = dir;
> +		regs->regs[7] = 0;

This code could also be refactored so we calculated the register number
once, then avoid the if (is_compact_task()) check all over the place.

Similarly on the exit path.

Will

Re: [PATCH v4 2/3] arm64: split syscall_trace() into separate functions for enter/exit

[Will Deacon]

On Thu, Mar 13, 2014 at 10:11:30AM +0000, AKASHI Takahiro wrote:
> As done in arm, this change makes it easy to confirm we invoke syscall
> related hooks, including syscall tracepoint, audit and seccomp which would
> be implemented later, in correct order. That is, undoing operations in the
> opposite order on exit that they were done on entry.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/kernel/entry.S  |   10 ++++-----
>  arch/arm64/kernel/ptrace.c |   48 ++++++++++++++++++++++++++++++++++----------
>  2 files changed, 41 insertions(+), 17 deletions(-)

[...]

> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..9993a8f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request,
>  	return ptrace_request(child, request, addr, data);
>  }
>  
> -asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
> +asmlinkage int syscall_trace_enter(struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
>  	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>  		return regs->syscallno;
>  
> +	/*
> +	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
> +	 * used to denote syscall entry/exit:
> +	 *   0 -> entry
> +	 */

You could add an enum, like we have on ARM (ptrace_syscall_dir) for the two
directions.

>  	if (is_compat_task()) {
> -		/* AArch32 uses ip (r12) for scratch */
>  		saved_reg = regs->regs[12];
> -		regs->regs[12] = dir;
> +		regs->regs[12] = 0;
>  	} else {
> -		/*
> -		 * Save X7. X7 is used to denote syscall entry/exit:
> -		 *   X7 = 0 -> entry, = 1 -> exit
> -		 */
>  		saved_reg = regs->regs[7];
> -		regs->regs[7] = dir;
> +		regs->regs[7] = 0;

This code could also be refactored so we calculated the register number
once, then avoid the if (is_compact_task()) check all over the place.

Similarly on the exit path.

Will

[PATCH v4 2/3] arm64: split syscall_trace() into separate functions for enter/exit

[Will Deacon]

On Thu, Mar 13, 2014 at 10:11:30AM +0000, AKASHI Takahiro wrote:
> As done in arm, this change makes it easy to confirm we invoke syscall
> related hooks, including syscall tracepoint, audit and seccomp which would
> be implemented later, in correct order. That is, undoing operations in the
> opposite order on exit that they were done on entry.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
> ---
>  arch/arm64/kernel/entry.S  |   10 ++++-----
>  arch/arm64/kernel/ptrace.c |   48 ++++++++++++++++++++++++++++++++++----------
>  2 files changed, 41 insertions(+), 17 deletions(-)

[...]

> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..9993a8f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request,
>  	return ptrace_request(child, request, addr, data);
>  }
>  
> -asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
> +asmlinkage int syscall_trace_enter(struct pt_regs *regs)
>  {
>  	unsigned long saved_reg;
>  
>  	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>  		return regs->syscallno;
>  
> +	/*
> +	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
> +	 * used to denote syscall entry/exit:
> +	 *   0 -> entry
> +	 */

You could add an enum, like we have on ARM (ptrace_syscall_dir) for the two
directions.

>  	if (is_compat_task()) {
> -		/* AArch32 uses ip (r12) for scratch */
>  		saved_reg = regs->regs[12];
> -		regs->regs[12] = dir;
> +		regs->regs[12] = 0;
>  	} else {
> -		/*
> -		 * Save X7. X7 is used to denote syscall entry/exit:
> -		 *   X7 = 0 -> entry, = 1 -> exit
> -		 */
>  		saved_reg = regs->regs[7];
> -		regs->regs[7] = dir;
> +		regs->regs[7] = 0;

This code could also be refactored so we calculated the register number
once, then avoid the if (is_compact_task()) check all over the place.

Similarly on the exit path.

Will

Re: [PATCH v7 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[Will Deacon]

On Thu, Mar 13, 2014 at 10:16:07AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v7 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[Will Deacon]

On Thu, Mar 13, 2014 at 10:16:07AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Will Deacon <will.deacon@arm.com>

Will

[PATCH v7 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[Will Deacon]

On Thu, Mar 13, 2014 at 10:16:07AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v4 2/3] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

On 03/14/2014 03:41 AM, Will Deacon wrote:
> On Thu, Mar 13, 2014 at 10:11:30AM +0000, AKASHI Takahiro wrote:
>> As done in arm, this change makes it easy to confirm we invoke syscall
>> related hooks, including syscall tracepoint, audit and seccomp which would
>> be implemented later, in correct order. That is, undoing operations in the
>> opposite order on exit that they were done on entry.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/kernel/entry.S  |   10 ++++-----
>>   arch/arm64/kernel/ptrace.c |   48 ++++++++++++++++++++++++++++++++++----------
>>   2 files changed, 41 insertions(+), 17 deletions(-)
>
> [...]
>
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6a8928b..9993a8f 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request,
>>   	return ptrace_request(child, request, addr, data);
>>   }
>>
>> -asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>> +asmlinkage int syscall_trace_enter(struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>>   	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>>   		return regs->syscallno;
>>
>> +	/*
>> +	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
>> +	 * used to denote syscall entry/exit:
>> +	 *   0 -> entry
>> +	 */
>
> You could add an enum, like we have on ARM (ptrace_syscall_dir) for the two
> directions.
>
>>   	if (is_compat_task()) {
>> -		/* AArch32 uses ip (r12) for scratch */
>>   		saved_reg = regs->regs[12];
>> -		regs->regs[12] = dir;
>> +		regs->regs[12] = 0;
>>   	} else {
>> -		/*
>> -		 * Save X7. X7 is used to denote syscall entry/exit:
>> -		 *   X7 = 0 -> entry, = 1 -> exit
>> -		 */
>>   		saved_reg = regs->regs[7];
>> -		regs->regs[7] = dir;
>> +		regs->regs[7] = 0;
>
> This code could also be refactored so we calculated the register number
> once, then avoid the if (is_compact_task()) check all over the place.
>
> Similarly on the exit path.

OK, I will implement tracehook_report_syscall() as in arm.

-Takahiro AKASHI


> Will
>

Re: [PATCH v4 2/3] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

On 03/14/2014 03:41 AM, Will Deacon wrote:
> On Thu, Mar 13, 2014 at 10:11:30AM +0000, AKASHI Takahiro wrote:
>> As done in arm, this change makes it easy to confirm we invoke syscall
>> related hooks, including syscall tracepoint, audit and seccomp which would
>> be implemented later, in correct order. That is, undoing operations in the
>> opposite order on exit that they were done on entry.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/kernel/entry.S  |   10 ++++-----
>>   arch/arm64/kernel/ptrace.c |   48 ++++++++++++++++++++++++++++++++++----------
>>   2 files changed, 41 insertions(+), 17 deletions(-)
>
> [...]
>
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6a8928b..9993a8f 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request,
>>   	return ptrace_request(child, request, addr, data);
>>   }
>>
>> -asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>> +asmlinkage int syscall_trace_enter(struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>>   	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>>   		return regs->syscallno;
>>
>> +	/*
>> +	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
>> +	 * used to denote syscall entry/exit:
>> +	 *   0 -> entry
>> +	 */
>
> You could add an enum, like we have on ARM (ptrace_syscall_dir) for the two
> directions.
>
>>   	if (is_compat_task()) {
>> -		/* AArch32 uses ip (r12) for scratch */
>>   		saved_reg = regs->regs[12];
>> -		regs->regs[12] = dir;
>> +		regs->regs[12] = 0;
>>   	} else {
>> -		/*
>> -		 * Save X7. X7 is used to denote syscall entry/exit:
>> -		 *   X7 = 0 -> entry, = 1 -> exit
>> -		 */
>>   		saved_reg = regs->regs[7];
>> -		regs->regs[7] = dir;
>> +		regs->regs[7] = 0;
>
> This code could also be refactored so we calculated the register number
> once, then avoid the if (is_compact_task()) check all over the place.
>
> Similarly on the exit path.

OK, I will implement tracehook_report_syscall() as in arm.

-Takahiro AKASHI


> Will
>

[PATCH v4 2/3] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

On 03/14/2014 03:41 AM, Will Deacon wrote:
> On Thu, Mar 13, 2014 at 10:11:30AM +0000, AKASHI Takahiro wrote:
>> As done in arm, this change makes it easy to confirm we invoke syscall
>> related hooks, including syscall tracepoint, audit and seccomp which would
>> be implemented later, in correct order. That is, undoing operations in the
>> opposite order on exit that they were done on entry.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>> ---
>>   arch/arm64/kernel/entry.S  |   10 ++++-----
>>   arch/arm64/kernel/ptrace.c |   48 ++++++++++++++++++++++++++++++++++----------
>>   2 files changed, 41 insertions(+), 17 deletions(-)
>
> [...]
>
>> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
>> index 6a8928b..9993a8f 100644
>> --- a/arch/arm64/kernel/ptrace.c
>> +++ b/arch/arm64/kernel/ptrace.c
>> @@ -1058,29 +1058,27 @@ long arch_ptrace(struct task_struct *child, long request,
>>   	return ptrace_request(child, request, addr, data);
>>   }
>>
>> -asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
>> +asmlinkage int syscall_trace_enter(struct pt_regs *regs)
>>   {
>>   	unsigned long saved_reg;
>>
>>   	if (!test_thread_flag(TIF_SYSCALL_TRACE))
>>   		return regs->syscallno;
>>
>> +	/*
>> +	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
>> +	 * used to denote syscall entry/exit:
>> +	 *   0 -> entry
>> +	 */
>
> You could add an enum, like we have on ARM (ptrace_syscall_dir) for the two
> directions.
>
>>   	if (is_compat_task()) {
>> -		/* AArch32 uses ip (r12) for scratch */
>>   		saved_reg = regs->regs[12];
>> -		regs->regs[12] = dir;
>> +		regs->regs[12] = 0;
>>   	} else {
>> -		/*
>> -		 * Save X7. X7 is used to denote syscall entry/exit:
>> -		 *   X7 = 0 -> entry, = 1 -> exit
>> -		 */
>>   		saved_reg = regs->regs[7];
>> -		regs->regs[7] = dir;
>> +		regs->regs[7] = 0;
>
> This code could also be refactored so we calculated the register number
> once, then avoid the if (is_compact_task()) check all over the place.
>
> Similarly on the exit path.

OK, I will implement tracehook_report_syscall() as in arm.

-Takahiro AKASHI


> Will
>

[PATCH v5 0/4] arm64: prerequisites for audit and ftrace

[AKASHI Takahiro]

This patchset contains some patches commonly applied for audit and ftrace.

Patch [1/4] defines syscall trace related TIF_* flags in order to add hooks,
including ftrace, audit and seccomp, later on.  Those features will be
implemented in separate patchsets, but it's safe to check for all TIF_*
now because they can not be turned on anyway.

Patch [2/4] doesn't change a behavior but make it easy and manageable to
confirm we invoke those hooks in correct order by splitting syscall_trace().

Patch [3/4] adds a commonly used function, which returns a return value of
system call.

Patch [4/4] removes is_compat_task from asm/compat.h to avoid conflicted
definitions.

Changes v4 -> v5:
* added the following patch from my seccomp patch since it is required for
  audit and ftrace in case of !COMPAT, too. [4/4]
  "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h"

Changes v3 -> v4:
* added "arm64: split syscall_trace() into separate functions for enter/
  exit", which is just a preparation for adding syscall trace hooks later.

Changes v2 -> v3:
* reverted a change in syscall_trace() in v1 [1/2]
* added "arm64: Add regs_return_value() in syscall.h" patch which was
  previously included in audit patch [2/2]

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

AKASHI Takahiro (4):
  arm64: make a single hook to syscall_trace() for all syscall features
  arm64: split syscall_trace() into separate functions for enter/exit
  arm64: Add regs_return_value() in syscall.h
  arm64: is_compat_task is defined both in asm/compat.h and
    linux/compat.h

 arch/arm64/include/asm/compat.h      |  5 ----
 arch/arm64/include/asm/ptrace.h      |  5 ++++
 arch/arm64/include/asm/thread_info.h | 13 +++++++++
 arch/arm64/kernel/entry.S            | 15 +++++------
 arch/arm64/kernel/hw_breakpoint.c    |  2 +-
 arch/arm64/kernel/process.c          |  1 +
 arch/arm64/kernel/ptrace.c           | 51 +++++++++++++++++++++---------------
 arch/arm64/kernel/signal.c           |  2 +-
 8 files changed, 58 insertions(+), 36 deletions(-)

-- 
1.8.3.2

[PATCH v5 0/4] arm64: prerequisites for audit and ftrace

[AKASHI Takahiro]

This patchset contains some patches commonly applied for audit and ftrace.

Patch [1/4] defines syscall trace related TIF_* flags in order to add hooks,
including ftrace, audit and seccomp, later on.  Those features will be
implemented in separate patchsets, but it's safe to check for all TIF_*
now because they can not be turned on anyway.

Patch [2/4] doesn't change a behavior but make it easy and manageable to
confirm we invoke those hooks in correct order by splitting syscall_trace().

Patch [3/4] adds a commonly used function, which returns a return value of
system call.

Patch [4/4] removes is_compat_task from asm/compat.h to avoid conflicted
definitions.

Changes v4 -> v5:
* added the following patch from my seccomp patch since it is required for
  audit and ftrace in case of !COMPAT, too. [4/4]
  "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h"

Changes v3 -> v4:
* added "arm64: split syscall_trace() into separate functions for enter/
  exit", which is just a preparation for adding syscall trace hooks later.

Changes v2 -> v3:
* reverted a change in syscall_trace() in v1 [1/2]
* added "arm64: Add regs_return_value() in syscall.h" patch which was
  previously included in audit patch [2/2]

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

AKASHI Takahiro (4):
  arm64: make a single hook to syscall_trace() for all syscall features
  arm64: split syscall_trace() into separate functions for enter/exit
  arm64: Add regs_return_value() in syscall.h
  arm64: is_compat_task is defined both in asm/compat.h and
    linux/compat.h

 arch/arm64/include/asm/compat.h      |  5 ----
 arch/arm64/include/asm/ptrace.h      |  5 ++++
 arch/arm64/include/asm/thread_info.h | 13 +++++++++
 arch/arm64/kernel/entry.S            | 15 +++++------
 arch/arm64/kernel/hw_breakpoint.c    |  2 +-
 arch/arm64/kernel/process.c          |  1 +
 arch/arm64/kernel/ptrace.c           | 51 +++++++++++++++++++++---------------
 arch/arm64/kernel/signal.c           |  2 +-
 8 files changed, 58 insertions(+), 36 deletions(-)

-- 
1.8.3.2

[PATCH v5 0/4] arm64: prerequisites for audit and ftrace

[AKASHI Takahiro]

This patchset contains some patches commonly applied for audit and ftrace.

Patch [1/4] defines syscall trace related TIF_* flags in order to add hooks,
including ftrace, audit and seccomp, later on.  Those features will be
implemented in separate patchsets, but it's safe to check for all TIF_*
now because they can not be turned on anyway.

Patch [2/4] doesn't change a behavior but make it easy and manageable to
confirm we invoke those hooks in correct order by splitting syscall_trace().

Patch [3/4] adds a commonly used function, which returns a return value of
system call.

Patch [4/4] removes is_compat_task from asm/compat.h to avoid conflicted
definitions.

Changes v4 -> v5:
* added the following patch from my seccomp patch since it is required for
  audit and ftrace in case of !COMPAT, too. [4/4]
  "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h"

Changes v3 -> v4:
* added "arm64: split syscall_trace() into separate functions for enter/
  exit", which is just a preparation for adding syscall trace hooks later.

Changes v2 -> v3:
* reverted a change in syscall_trace() in v1 [1/2]
* added "arm64: Add regs_return_value() in syscall.h" patch which was
  previously included in audit patch [2/2]

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

AKASHI Takahiro (4):
  arm64: make a single hook to syscall_trace() for all syscall features
  arm64: split syscall_trace() into separate functions for enter/exit
  arm64: Add regs_return_value() in syscall.h
  arm64: is_compat_task is defined both in asm/compat.h and
    linux/compat.h

 arch/arm64/include/asm/compat.h      |  5 ----
 arch/arm64/include/asm/ptrace.h      |  5 ++++
 arch/arm64/include/asm/thread_info.h | 13 +++++++++
 arch/arm64/kernel/entry.S            | 15 +++++------
 arch/arm64/kernel/hw_breakpoint.c    |  2 +-
 arch/arm64/kernel/process.c          |  1 +
 arch/arm64/kernel/ptrace.c           | 51 +++++++++++++++++++++---------------
 arch/arm64/kernel/signal.c           |  2 +-
 8 files changed, 58 insertions(+), 36 deletions(-)

-- 
1.8.3.2

[PATCH v5 1/4] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h | 13 +++++++++++++
 arch/arm64/kernel/entry.S            |  5 +++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 39ac630..f9f2cae 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
-- 
1.8.3.2

[PATCH v5 1/4] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h | 13 +++++++++++++
 arch/arm64/kernel/entry.S            |  5 +++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 39ac630..f9f2cae 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
-- 
1.8.3.2

[PATCH v5 1/4] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h | 13 +++++++++++++
 arch/arm64/kernel/entry.S            |  5 +++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 39ac630..f9f2cae 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
-- 
1.8.3.2

[PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

As done in arm, this change makes it easy to confirm we invoke syscall
related hooks, including syscall tracepoint, audit and seccomp which would
be implemented later, in correct order. That is, undoing operations in the
opposite order on exit that they were done on entry.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/entry.S  | 10 ++++------
 arch/arm64/kernel/ptrace.c | 50 +++++++++++++++++++++++++++-------------------
 2 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index f9f2cae..00d6eb9 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -649,9 +649,8 @@ ENDPROC(el0_svc)
 	 * switches, and waiting for our parent to respond.
 	 */
 __sys_trace:
-	mov	x1, sp
-	mov	w0, #0				// trace entry
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_enter
 	adr	lr, __sys_trace_return		// return address
 	uxtw	scno, w0			// syscall number (possibly new)
 	mov	x1, sp				// pointer to regs
@@ -666,9 +665,8 @@ __sys_trace:
 
 __sys_trace_return:
 	str	x0, [sp]			// save returned x0
-	mov	x1, sp
-	mov	w0, #1				// trace exit
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_exit
 	b	ret_to_user
 
 /*
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..f606276 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request,
 	return ptrace_request(child, request, addr, data);
 }
 
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
+enum ptrace_syscall_dir {
+	PTRACE_SYSCALL_ENTER = 0,
+	PTRACE_SYSCALL_EXIT,
+};
+
+static void tracehook_report_syscall(struct pt_regs *regs,
+				     enum ptrace_syscall_dir dir)
 {
+	int scrach;
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
-
-	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
-		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
-	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
-		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
-	}
+	/*
+	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
+	 * used to denote syscall entry/exit:
+	 */
+	scrach = (is_compat_task() ? 12 : 7);
+	saved_reg = regs->regs[scrach];
+	regs->regs[scrach] = dir;
 
-	if (dir)
+	if (dir == PTRACE_SYSCALL_EXIT)
 		tracehook_report_syscall_exit(regs, 0);
 	else if (tracehook_report_syscall_entry(regs))
 		regs->syscallno = ~0UL;
 
-	if (is_compat_task())
-		regs->regs[12] = saved_reg;
-	else
-		regs->regs[7] = saved_reg;
+	regs->regs[scrach] = saved_reg;
+}
+
+asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
 
 	return regs->syscallno;
 }
+
+asmlinkage void syscall_trace_exit(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
+}
-- 
1.8.3.2

[PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

As done in arm, this change makes it easy to confirm we invoke syscall
related hooks, including syscall tracepoint, audit and seccomp which would
be implemented later, in correct order. That is, undoing operations in the
opposite order on exit that they were done on entry.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/entry.S  | 10 ++++------
 arch/arm64/kernel/ptrace.c | 50 +++++++++++++++++++++++++++-------------------
 2 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index f9f2cae..00d6eb9 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -649,9 +649,8 @@ ENDPROC(el0_svc)
 	 * switches, and waiting for our parent to respond.
 	 */
 __sys_trace:
-	mov	x1, sp
-	mov	w0, #0				// trace entry
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_enter
 	adr	lr, __sys_trace_return		// return address
 	uxtw	scno, w0			// syscall number (possibly new)
 	mov	x1, sp				// pointer to regs
@@ -666,9 +665,8 @@ __sys_trace:
 
 __sys_trace_return:
 	str	x0, [sp]			// save returned x0
-	mov	x1, sp
-	mov	w0, #1				// trace exit
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_exit
 	b	ret_to_user
 
 /*
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..f606276 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request,
 	return ptrace_request(child, request, addr, data);
 }
 
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
+enum ptrace_syscall_dir {
+	PTRACE_SYSCALL_ENTER = 0,
+	PTRACE_SYSCALL_EXIT,
+};
+
+static void tracehook_report_syscall(struct pt_regs *regs,
+				     enum ptrace_syscall_dir dir)
 {
+	int scrach;
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
-
-	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
-		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
-	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
-		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
-	}
+	/*
+	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
+	 * used to denote syscall entry/exit:
+	 */
+	scrach = (is_compat_task() ? 12 : 7);
+	saved_reg = regs->regs[scrach];
+	regs->regs[scrach] = dir;
 
-	if (dir)
+	if (dir == PTRACE_SYSCALL_EXIT)
 		tracehook_report_syscall_exit(regs, 0);
 	else if (tracehook_report_syscall_entry(regs))
 		regs->syscallno = ~0UL;
 
-	if (is_compat_task())
-		regs->regs[12] = saved_reg;
-	else
-		regs->regs[7] = saved_reg;
+	regs->regs[scrach] = saved_reg;
+}
+
+asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
 
 	return regs->syscallno;
 }
+
+asmlinkage void syscall_trace_exit(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
+}
-- 
1.8.3.2

[PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

As done in arm, this change makes it easy to confirm we invoke syscall
related hooks, including syscall tracepoint, audit and seccomp which would
be implemented later, in correct order. That is, undoing operations in the
opposite order on exit that they were done on entry.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/entry.S  | 10 ++++------
 arch/arm64/kernel/ptrace.c | 50 +++++++++++++++++++++++++++-------------------
 2 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index f9f2cae..00d6eb9 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -649,9 +649,8 @@ ENDPROC(el0_svc)
 	 * switches, and waiting for our parent to respond.
 	 */
 __sys_trace:
-	mov	x1, sp
-	mov	w0, #0				// trace entry
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_enter
 	adr	lr, __sys_trace_return		// return address
 	uxtw	scno, w0			// syscall number (possibly new)
 	mov	x1, sp				// pointer to regs
@@ -666,9 +665,8 @@ __sys_trace:
 
 __sys_trace_return:
 	str	x0, [sp]			// save returned x0
-	mov	x1, sp
-	mov	w0, #1				// trace exit
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_exit
 	b	ret_to_user
 
 /*
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..f606276 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request,
 	return ptrace_request(child, request, addr, data);
 }
 
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
+enum ptrace_syscall_dir {
+	PTRACE_SYSCALL_ENTER = 0,
+	PTRACE_SYSCALL_EXIT,
+};
+
+static void tracehook_report_syscall(struct pt_regs *regs,
+				     enum ptrace_syscall_dir dir)
 {
+	int scrach;
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
-
-	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
-		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
-	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
-		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
-	}
+	/*
+	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
+	 * used to denote syscall entry/exit:
+	 */
+	scrach = (is_compat_task() ? 12 : 7);
+	saved_reg = regs->regs[scrach];
+	regs->regs[scrach] = dir;
 
-	if (dir)
+	if (dir == PTRACE_SYSCALL_EXIT)
 		tracehook_report_syscall_exit(regs, 0);
 	else if (tracehook_report_syscall_entry(regs))
 		regs->syscallno = ~0UL;
 
-	if (is_compat_task())
-		regs->regs[12] = saved_reg;
-	else
-		regs->regs[7] = saved_reg;
+	regs->regs[scrach] = saved_reg;
+}
+
+asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
 
 	return regs->syscallno;
 }
+
+asmlinkage void syscall_trace_exit(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
+}
-- 
1.8.3.2

[PATCH v5 3/4] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Acked-by: Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.8.3.2

[PATCH v5 3/4] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Acked-by: Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index 0e7fa49..5800ec1 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -134,6 +134,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	((regs)->sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.8.3.2

[PATCH v5 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[AKASHI Takahiro]

Some kernel files may include both linux/compat.h and asm/compat.h directly
or indirectly. Since both header files contain is_compat_task() under
!CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
(do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
implemented).

So this patch proactively
1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
   but asm/compat.h is still necessary in ptrace.c and process.c because
   they use is_compat_thread().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/compat.h   | 5 -----
 arch/arm64/kernel/hw_breakpoint.c | 2 +-
 arch/arm64/kernel/process.c       | 1 +
 arch/arm64/kernel/ptrace.c        | 1 +
 arch/arm64/kernel/signal.c        | 2 +-
 5 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h
index fda2704..3b334f9 100644
--- a/arch/arm64/include/asm/compat.h
+++ b/arch/arm64/include/asm/compat.h
@@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread)
 
 #else /* !CONFIG_COMPAT */
 
-static inline int is_compat_task(void)
-{
-	return 0;
-}
-
 static inline int is_compat_thread(struct thread_info *thread)
 {
 	return 0;
diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
index f17f581..a45e2db 100644
--- a/arch/arm64/kernel/hw_breakpoint.c
+++ b/arch/arm64/kernel/hw_breakpoint.c
@@ -20,6 +20,7 @@
 
 #define pr_fmt(fmt) "hw-breakpoint: " fmt
 
+#include <linux/compat.h>
 #include <linux/cpu_pm.h>
 #include <linux/errno.h>
 #include <linux/hw_breakpoint.h>
@@ -27,7 +28,6 @@
 #include <linux/ptrace.h>
 #include <linux/smp.h>
 
-#include <asm/compat.h>
 #include <asm/current.h>
 #include <asm/debug-monitors.h>
 #include <asm/hw_breakpoint.h>
diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
index 1c0a9be..fc8a387 100644
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -20,6 +20,7 @@
 
 #include <stdarg.h>
 
+#include <linux/compat.h>
 #include <linux/export.h>
 #include <linux/sched.h>
 #include <linux/kernel.h>
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index f606276..c47a3ed 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/compat.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 890a591..4a09989 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -17,6 +17,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/compat.h>
 #include <linux/errno.h>
 #include <linux/signal.h>
 #include <linux/personality.h>
@@ -25,7 +26,6 @@
 #include <linux/tracehook.h>
 #include <linux/ratelimit.h>
 
-#include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
-- 
1.8.3.2

[PATCH v5 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[AKASHI Takahiro]

Some kernel files may include both linux/compat.h and asm/compat.h directly
or indirectly. Since both header files contain is_compat_task() under
!CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
(do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
implemented).

So this patch proactively
1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
   but asm/compat.h is still necessary in ptrace.c and process.c because
   they use is_compat_thread().

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/compat.h   | 5 -----
 arch/arm64/kernel/hw_breakpoint.c | 2 +-
 arch/arm64/kernel/process.c       | 1 +
 arch/arm64/kernel/ptrace.c        | 1 +
 arch/arm64/kernel/signal.c        | 2 +-
 5 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h
index fda2704..3b334f9 100644
--- a/arch/arm64/include/asm/compat.h
+++ b/arch/arm64/include/asm/compat.h
@@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread)
 
 #else /* !CONFIG_COMPAT */
 
-static inline int is_compat_task(void)
-{
-	return 0;
-}
-
 static inline int is_compat_thread(struct thread_info *thread)
 {
 	return 0;
diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
index f17f581..a45e2db 100644
--- a/arch/arm64/kernel/hw_breakpoint.c
+++ b/arch/arm64/kernel/hw_breakpoint.c
@@ -20,6 +20,7 @@
 
 #define pr_fmt(fmt) "hw-breakpoint: " fmt
 
+#include <linux/compat.h>
 #include <linux/cpu_pm.h>
 #include <linux/errno.h>
 #include <linux/hw_breakpoint.h>
@@ -27,7 +28,6 @@
 #include <linux/ptrace.h>
 #include <linux/smp.h>
 
-#include <asm/compat.h>
 #include <asm/current.h>
 #include <asm/debug-monitors.h>
 #include <asm/hw_breakpoint.h>
diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
index 1c0a9be..fc8a387 100644
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -20,6 +20,7 @@
 
 #include <stdarg.h>
 
+#include <linux/compat.h>
 #include <linux/export.h>
 #include <linux/sched.h>
 #include <linux/kernel.h>
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index f606276..c47a3ed 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/compat.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 890a591..4a09989 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -17,6 +17,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/compat.h>
 #include <linux/errno.h>
 #include <linux/signal.h>
 #include <linux/personality.h>
@@ -25,7 +26,6 @@
 #include <linux/tracehook.h>
 #include <linux/ratelimit.h>
 
-#include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
-- 
1.8.3.2

[PATCH_v8 0/2] arm64: Add audit support

[AKASHI Takahiro]

(Please apply this patch after my ftrace patch to resolve some conflict
on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "audit: generic compat system call audit support" patch
* "arm64: __NR_* definitions for compat syscalls" patch from Catalin
* "arm64: make a single hook to syscall_trace() for all syscall features" patch
* "arm64: split syscall_trace() into separate functions for enter/exit" patch
* "arm64: Add regs_return_value() in syscall.h" patch
* "arm64: is_compat_task is defined both in asm/compat.h and 
   linux/compat.h" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v7 -> v8:
* aligned with the change in "audit: generic compat system call audit
  support" v5 [1/2]
* aligned with the change in "arm64: split syscall_trace() into separate
  functions for enter/exit" v5 [2/2]

Changes v6 -> v7:
* changed an include file in syscall.h from <linux/audit.h> to
  <uapi/linux/audit.h> [1/2]
* aligned with the patch, "arm64: split syscall_trace() into separate
  functions for enter/exit" [2/2]

Changes v5 -> v6:
* removed and put "arm64: Add regs_return_value() in syscall.h" patch into
  a separate set
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v3 [1/2]

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

AKASHI Takahiro (2):
  arm64: Add audit support
  arm64: audit: Add audit hook in syscall_trace_enter/exit()

 arch/arm64/Kconfig               |  2 ++
 arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
 arch/arm64/kernel/ptrace.c       |  7 +++++++
 include/uapi/linux/audit.h       |  1 +
 4 files changed, 25 insertions(+)

-- 
1.8.3.2

[PATCH_v8 0/2] arm64: Add audit support

[AKASHI Takahiro]

(Please apply this patch after my ftrace patch to resolve some conflict
on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "audit: generic compat system call audit support" patch
* "arm64: __NR_* definitions for compat syscalls" patch from Catalin
* "arm64: make a single hook to syscall_trace() for all syscall features" patch
* "arm64: split syscall_trace() into separate functions for enter/exit" patch
* "arm64: Add regs_return_value() in syscall.h" patch
* "arm64: is_compat_task is defined both in asm/compat.h and 
   linux/compat.h" patch
* userspace audit tool (v2.3.2 + my patch for arm64)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v7 -> v8:
* aligned with the change in "audit: generic compat system call audit
  support" v5 [1/2]
* aligned with the change in "arm64: split syscall_trace() into separate
  functions for enter/exit" v5 [2/2]

Changes v6 -> v7:
* changed an include file in syscall.h from <linux/audit.h> to
  <uapi/linux/audit.h> [1/2]
* aligned with the patch, "arm64: split syscall_trace() into separate
  functions for enter/exit" [2/2]

Changes v5 -> v6:
* removed and put "arm64: Add regs_return_value() in syscall.h" patch into
  a separate set
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v3 [1/2]

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

AKASHI Takahiro (2):
  arm64: Add audit support
  arm64: audit: Add audit hook in syscall_trace_enter/exit()

 arch/arm64/Kconfig               |  2 ++
 arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
 arch/arm64/kernel/ptrace.c       |  7 +++++++
 include/uapi/linux/audit.h       |  1 +
 4 files changed, 25 insertions(+)

-- 
1.8.3.2

[PATCH_v8 1/2] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |  2 ++
 arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
 include/uapi/linux/audit.h       |  1 +
 3 files changed, 18 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index b1dcdb4..7c1f8c7 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -9,6 +9,7 @@ config ARM64
 	select ARM_AMBA
 	select ARM_ARCH_TIMER
 	select ARM_GIC
+	select AUDIT_ARCH_COMPAT_GENERIC
 	select BUILDTIME_EXTABLE_SORT
 	select CLONE_BACKWARDS
 	select COMMON_CLK
@@ -25,6 +26,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_C_RECORDMCOUNT
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 383771e..ce3882f 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 extern const void *sys_call_table[];
 
@@ -105,4 +107,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.8.3.2

[PATCH_v8 1/2] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |  2 ++
 arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
 include/uapi/linux/audit.h       |  1 +
 3 files changed, 18 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index b1dcdb4..7c1f8c7 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -9,6 +9,7 @@ config ARM64
 	select ARM_AMBA
 	select ARM_ARCH_TIMER
 	select ARM_GIC
+	select AUDIT_ARCH_COMPAT_GENERIC
 	select BUILDTIME_EXTABLE_SORT
 	select CLONE_BACKWARDS
 	select COMMON_CLK
@@ -25,6 +26,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_TRACEHOOK
 	select HAVE_C_RECORDMCOUNT
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 383771e..ce3882f 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,7 +16,9 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <uapi/linux/audit.h>
 #include <linux/err.h>
+#include <asm/compat.h>
 
 extern const void *sys_call_table[];
 
@@ -105,4 +107,17 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(struct task_struct *task,
+				   struct pt_regs *regs)
+{
+	if (is_compat_thread(task_thread_info(task)))
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 624df43..aa86fab 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -333,6 +333,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.8.3.2

[PATCH_v8 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 3ee76ed..f9e1339 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/compat.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
@@ -39,6 +40,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1097,11 +1099,16 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_enter(regs, regs->syscallno);
 
+	audit_syscall_entry(syscall_get_arch(current, regs), regs->syscallno,
+		regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]);
+
 	return regs->syscallno;
 }
 
 asmlinkage void syscall_trace_exit(struct pt_regs *regs)
 {
+	audit_syscall_exit(regs);
+
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_exit(regs, regs_return_value(regs));
 
-- 
1.8.3.2

[PATCH_v8 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 3ee76ed..f9e1339 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/compat.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
@@ -39,6 +40,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1097,11 +1099,16 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_enter(regs, regs->syscallno);
 
+	audit_syscall_entry(syscall_get_arch(current, regs), regs->syscallno,
+		regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]);
+
 	return regs->syscallno;
 }
 
 asmlinkage void syscall_trace_exit(struct pt_regs *regs)
 {
+	audit_syscall_exit(regs);
+
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_exit(regs, regs_return_value(regs));
 
-- 
1.8.3.2

Re: [PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[Richard Guy Briggs]

On 14/03/15, AKASHI Takahiro wrote:
> As done in arm, this change makes it easy to confirm we invoke syscall
> related hooks, including syscall tracepoint, audit and seccomp which would
> be implemented later, in correct order. That is, undoing operations in the
> opposite order on exit that they were done on entry.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Minor variable mis-spelling of "scratch" noted below, but other than
that:

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/arm64/kernel/entry.S  | 10 ++++------
>  arch/arm64/kernel/ptrace.c | 50 +++++++++++++++++++++++++++-------------------
>  2 files changed, 33 insertions(+), 27 deletions(-)
> 
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index f9f2cae..00d6eb9 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -649,9 +649,8 @@ ENDPROC(el0_svc)
>  	 * switches, and waiting for our parent to respond.
>  	 */
>  __sys_trace:
> -	mov	x1, sp
> -	mov	w0, #0				// trace entry
> -	bl	syscall_trace
> +	mov	x0, sp
> +	bl	syscall_trace_enter
>  	adr	lr, __sys_trace_return		// return address
>  	uxtw	scno, w0			// syscall number (possibly new)
>  	mov	x1, sp				// pointer to regs
> @@ -666,9 +665,8 @@ __sys_trace:
>  
>  __sys_trace_return:
>  	str	x0, [sp]			// save returned x0
> -	mov	x1, sp
> -	mov	w0, #1				// trace exit
> -	bl	syscall_trace
> +	mov	x0, sp
> +	bl	syscall_trace_exit
>  	b	ret_to_user
>  
>  /*
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..f606276 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request,
>  	return ptrace_request(child, request, addr, data);
>  }
>  
> -asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
> +enum ptrace_syscall_dir {
> +	PTRACE_SYSCALL_ENTER = 0,
> +	PTRACE_SYSCALL_EXIT,
> +};
> +
> +static void tracehook_report_syscall(struct pt_regs *regs,
> +				     enum ptrace_syscall_dir dir)
>  {
> +	int scrach;

"scratch"

>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;
> -
> -	if (is_compat_task()) {
> -		/* AArch32 uses ip (r12) for scratch */
> -		saved_reg = regs->regs[12];
> -		regs->regs[12] = dir;
> -	} else {
> -		/*
> -		 * Save X7. X7 is used to denote syscall entry/exit:
> -		 *   X7 = 0 -> entry, = 1 -> exit
> -		 */
> -		saved_reg = regs->regs[7];
> -		regs->regs[7] = dir;
> -	}
> +	/*
> +	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
> +	 * used to denote syscall entry/exit:
> +	 */
> +	scrach = (is_compat_task() ? 12 : 7);
> +	saved_reg = regs->regs[scrach];
> +	regs->regs[scrach] = dir;
>  
> -	if (dir)
> +	if (dir == PTRACE_SYSCALL_EXIT)
>  		tracehook_report_syscall_exit(regs, 0);
>  	else if (tracehook_report_syscall_entry(regs))
>  		regs->syscallno = ~0UL;
>  
> -	if (is_compat_task())
> -		regs->regs[12] = saved_reg;
> -	else
> -		regs->regs[7] = saved_reg;
> +	regs->regs[scrach] = saved_reg;
> +}
> +
> +asmlinkage int syscall_trace_enter(struct pt_regs *regs)
> +{
> +	if (test_thread_flag(TIF_SYSCALL_TRACE))
> +		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
>  
>  	return regs->syscallno;
>  }
> +
> +asmlinkage void syscall_trace_exit(struct pt_regs *regs)
> +{
> +	if (test_thread_flag(TIF_SYSCALL_TRACE))
> +		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
> +}
> -- 
> 1.8.3.2

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[Richard Guy Briggs]

On 14/03/15, AKASHI Takahiro wrote:
> As done in arm, this change makes it easy to confirm we invoke syscall
> related hooks, including syscall tracepoint, audit and seccomp which would
> be implemented later, in correct order. That is, undoing operations in the
> opposite order on exit that they were done on entry.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Minor variable mis-spelling of "scratch" noted below, but other than
that:

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/arm64/kernel/entry.S  | 10 ++++------
>  arch/arm64/kernel/ptrace.c | 50 +++++++++++++++++++++++++++-------------------
>  2 files changed, 33 insertions(+), 27 deletions(-)
> 
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index f9f2cae..00d6eb9 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -649,9 +649,8 @@ ENDPROC(el0_svc)
>  	 * switches, and waiting for our parent to respond.
>  	 */
>  __sys_trace:
> -	mov	x1, sp
> -	mov	w0, #0				// trace entry
> -	bl	syscall_trace
> +	mov	x0, sp
> +	bl	syscall_trace_enter
>  	adr	lr, __sys_trace_return		// return address
>  	uxtw	scno, w0			// syscall number (possibly new)
>  	mov	x1, sp				// pointer to regs
> @@ -666,9 +665,8 @@ __sys_trace:
>  
>  __sys_trace_return:
>  	str	x0, [sp]			// save returned x0
> -	mov	x1, sp
> -	mov	w0, #1				// trace exit
> -	bl	syscall_trace
> +	mov	x0, sp
> +	bl	syscall_trace_exit
>  	b	ret_to_user
>  
>  /*
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..f606276 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request,
>  	return ptrace_request(child, request, addr, data);
>  }
>  
> -asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
> +enum ptrace_syscall_dir {
> +	PTRACE_SYSCALL_ENTER = 0,
> +	PTRACE_SYSCALL_EXIT,
> +};
> +
> +static void tracehook_report_syscall(struct pt_regs *regs,
> +				     enum ptrace_syscall_dir dir)
>  {
> +	int scrach;

"scratch"

>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;
> -
> -	if (is_compat_task()) {
> -		/* AArch32 uses ip (r12) for scratch */
> -		saved_reg = regs->regs[12];
> -		regs->regs[12] = dir;
> -	} else {
> -		/*
> -		 * Save X7. X7 is used to denote syscall entry/exit:
> -		 *   X7 = 0 -> entry, = 1 -> exit
> -		 */
> -		saved_reg = regs->regs[7];
> -		regs->regs[7] = dir;
> -	}
> +	/*
> +	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
> +	 * used to denote syscall entry/exit:
> +	 */
> +	scrach = (is_compat_task() ? 12 : 7);
> +	saved_reg = regs->regs[scrach];
> +	regs->regs[scrach] = dir;
>  
> -	if (dir)
> +	if (dir == PTRACE_SYSCALL_EXIT)
>  		tracehook_report_syscall_exit(regs, 0);
>  	else if (tracehook_report_syscall_entry(regs))
>  		regs->syscallno = ~0UL;
>  
> -	if (is_compat_task())
> -		regs->regs[12] = saved_reg;
> -	else
> -		regs->regs[7] = saved_reg;
> +	regs->regs[scrach] = saved_reg;
> +}
> +
> +asmlinkage int syscall_trace_enter(struct pt_regs *regs)
> +{
> +	if (test_thread_flag(TIF_SYSCALL_TRACE))
> +		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
>  
>  	return regs->syscallno;
>  }
> +
> +asmlinkage void syscall_trace_exit(struct pt_regs *regs)
> +{
> +	if (test_thread_flag(TIF_SYSCALL_TRACE))
> +		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
> +}
> -- 
> 1.8.3.2

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[Richard Guy Briggs]

On 14/03/15, AKASHI Takahiro wrote:
> As done in arm, this change makes it easy to confirm we invoke syscall
> related hooks, including syscall tracepoint, audit and seccomp which would
> be implemented later, in correct order. That is, undoing operations in the
> opposite order on exit that they were done on entry.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Minor variable mis-spelling of "scratch" noted below, but other than
that:

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/arm64/kernel/entry.S  | 10 ++++------
>  arch/arm64/kernel/ptrace.c | 50 +++++++++++++++++++++++++++-------------------
>  2 files changed, 33 insertions(+), 27 deletions(-)
> 
> diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
> index f9f2cae..00d6eb9 100644
> --- a/arch/arm64/kernel/entry.S
> +++ b/arch/arm64/kernel/entry.S
> @@ -649,9 +649,8 @@ ENDPROC(el0_svc)
>  	 * switches, and waiting for our parent to respond.
>  	 */
>  __sys_trace:
> -	mov	x1, sp
> -	mov	w0, #0				// trace entry
> -	bl	syscall_trace
> +	mov	x0, sp
> +	bl	syscall_trace_enter
>  	adr	lr, __sys_trace_return		// return address
>  	uxtw	scno, w0			// syscall number (possibly new)
>  	mov	x1, sp				// pointer to regs
> @@ -666,9 +665,8 @@ __sys_trace:
>  
>  __sys_trace_return:
>  	str	x0, [sp]			// save returned x0
> -	mov	x1, sp
> -	mov	w0, #1				// trace exit
> -	bl	syscall_trace
> +	mov	x0, sp
> +	bl	syscall_trace_exit
>  	b	ret_to_user
>  
>  /*
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 6a8928b..f606276 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request,
>  	return ptrace_request(child, request, addr, data);
>  }
>  
> -asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
> +enum ptrace_syscall_dir {
> +	PTRACE_SYSCALL_ENTER = 0,
> +	PTRACE_SYSCALL_EXIT,
> +};
> +
> +static void tracehook_report_syscall(struct pt_regs *regs,
> +				     enum ptrace_syscall_dir dir)
>  {
> +	int scrach;

"scratch"

>  	unsigned long saved_reg;
>  
> -	if (!test_thread_flag(TIF_SYSCALL_TRACE))
> -		return regs->syscallno;
> -
> -	if (is_compat_task()) {
> -		/* AArch32 uses ip (r12) for scratch */
> -		saved_reg = regs->regs[12];
> -		regs->regs[12] = dir;
> -	} else {
> -		/*
> -		 * Save X7. X7 is used to denote syscall entry/exit:
> -		 *   X7 = 0 -> entry, = 1 -> exit
> -		 */
> -		saved_reg = regs->regs[7];
> -		regs->regs[7] = dir;
> -	}
> +	/*
> +	 * A scrach register (ip(r12) on AArch32, x7 on AArch64) is
> +	 * used to denote syscall entry/exit:
> +	 */
> +	scrach = (is_compat_task() ? 12 : 7);
> +	saved_reg = regs->regs[scrach];
> +	regs->regs[scrach] = dir;
>  
> -	if (dir)
> +	if (dir == PTRACE_SYSCALL_EXIT)
>  		tracehook_report_syscall_exit(regs, 0);
>  	else if (tracehook_report_syscall_entry(regs))
>  		regs->syscallno = ~0UL;
>  
> -	if (is_compat_task())
> -		regs->regs[12] = saved_reg;
> -	else
> -		regs->regs[7] = saved_reg;
> +	regs->regs[scrach] = saved_reg;
> +}
> +
> +asmlinkage int syscall_trace_enter(struct pt_regs *regs)
> +{
> +	if (test_thread_flag(TIF_SYSCALL_TRACE))
> +		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
>  
>  	return regs->syscallno;
>  }
> +
> +asmlinkage void syscall_trace_exit(struct pt_regs *regs)
> +{
> +	if (test_thread_flag(TIF_SYSCALL_TRACE))
> +		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
> +}
> -- 
> 1.8.3.2

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v5 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[Richard Guy Briggs]

On 14/03/15, AKASHI Takahiro wrote:
> Some kernel files may include both linux/compat.h and asm/compat.h directly
> or indirectly. Since both header files contain is_compat_task() under
> !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
> Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
> (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
> implemented).
> 
> So this patch proactively
> 1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
> 2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
>    but asm/compat.h is still necessary in ptrace.c and process.c because
>    they use is_compat_thread().
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/arm64/include/asm/compat.h   | 5 -----
>  arch/arm64/kernel/hw_breakpoint.c | 2 +-
>  arch/arm64/kernel/process.c       | 1 +
>  arch/arm64/kernel/ptrace.c        | 1 +
>  arch/arm64/kernel/signal.c        | 2 +-
>  5 files changed, 4 insertions(+), 7 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h
> index fda2704..3b334f9 100644
> --- a/arch/arm64/include/asm/compat.h
> +++ b/arch/arm64/include/asm/compat.h
> @@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread)
>  
>  #else /* !CONFIG_COMPAT */
>  
> -static inline int is_compat_task(void)
> -{
> -	return 0;
> -}
> -
>  static inline int is_compat_thread(struct thread_info *thread)
>  {
>  	return 0;
> diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
> index f17f581..a45e2db 100644
> --- a/arch/arm64/kernel/hw_breakpoint.c
> +++ b/arch/arm64/kernel/hw_breakpoint.c
> @@ -20,6 +20,7 @@
>  
>  #define pr_fmt(fmt) "hw-breakpoint: " fmt
>  
> +#include <linux/compat.h>
>  #include <linux/cpu_pm.h>
>  #include <linux/errno.h>
>  #include <linux/hw_breakpoint.h>
> @@ -27,7 +28,6 @@
>  #include <linux/ptrace.h>
>  #include <linux/smp.h>
>  
> -#include <asm/compat.h>
>  #include <asm/current.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/hw_breakpoint.h>
> diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
> index 1c0a9be..fc8a387 100644
> --- a/arch/arm64/kernel/process.c
> +++ b/arch/arm64/kernel/process.c
> @@ -20,6 +20,7 @@
>  
>  #include <stdarg.h>
>  
> +#include <linux/compat.h>
>  #include <linux/export.h>
>  #include <linux/sched.h>
>  #include <linux/kernel.h>
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index f606276..c47a3ed 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -19,6 +19,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/compat.h>
>  #include <linux/kernel.h>
>  #include <linux/sched.h>
>  #include <linux/mm.h>
> diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
> index 890a591..4a09989 100644
> --- a/arch/arm64/kernel/signal.c
> +++ b/arch/arm64/kernel/signal.c
> @@ -17,6 +17,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/compat.h>
>  #include <linux/errno.h>
>  #include <linux/signal.h>
>  #include <linux/personality.h>
> @@ -25,7 +26,6 @@
>  #include <linux/tracehook.h>
>  #include <linux/ratelimit.h>
>  
> -#include <asm/compat.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/elf.h>
>  #include <asm/cacheflush.h>
> -- 
> 1.8.3.2
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH v5 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[Richard Guy Briggs]

On 14/03/15, AKASHI Takahiro wrote:
> Some kernel files may include both linux/compat.h and asm/compat.h directly
> or indirectly. Since both header files contain is_compat_task() under
> !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
> Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
> (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
> implemented).
> 
> So this patch proactively
> 1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
> 2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
>    but asm/compat.h is still necessary in ptrace.c and process.c because
>    they use is_compat_thread().
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/arm64/include/asm/compat.h   | 5 -----
>  arch/arm64/kernel/hw_breakpoint.c | 2 +-
>  arch/arm64/kernel/process.c       | 1 +
>  arch/arm64/kernel/ptrace.c        | 1 +
>  arch/arm64/kernel/signal.c        | 2 +-
>  5 files changed, 4 insertions(+), 7 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h
> index fda2704..3b334f9 100644
> --- a/arch/arm64/include/asm/compat.h
> +++ b/arch/arm64/include/asm/compat.h
> @@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread)
>  
>  #else /* !CONFIG_COMPAT */
>  
> -static inline int is_compat_task(void)
> -{
> -	return 0;
> -}
> -
>  static inline int is_compat_thread(struct thread_info *thread)
>  {
>  	return 0;
> diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
> index f17f581..a45e2db 100644
> --- a/arch/arm64/kernel/hw_breakpoint.c
> +++ b/arch/arm64/kernel/hw_breakpoint.c
> @@ -20,6 +20,7 @@
>  
>  #define pr_fmt(fmt) "hw-breakpoint: " fmt
>  
> +#include <linux/compat.h>
>  #include <linux/cpu_pm.h>
>  #include <linux/errno.h>
>  #include <linux/hw_breakpoint.h>
> @@ -27,7 +28,6 @@
>  #include <linux/ptrace.h>
>  #include <linux/smp.h>
>  
> -#include <asm/compat.h>
>  #include <asm/current.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/hw_breakpoint.h>
> diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
> index 1c0a9be..fc8a387 100644
> --- a/arch/arm64/kernel/process.c
> +++ b/arch/arm64/kernel/process.c
> @@ -20,6 +20,7 @@
>  
>  #include <stdarg.h>
>  
> +#include <linux/compat.h>
>  #include <linux/export.h>
>  #include <linux/sched.h>
>  #include <linux/kernel.h>
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index f606276..c47a3ed 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -19,6 +19,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/compat.h>
>  #include <linux/kernel.h>
>  #include <linux/sched.h>
>  #include <linux/mm.h>
> diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
> index 890a591..4a09989 100644
> --- a/arch/arm64/kernel/signal.c
> +++ b/arch/arm64/kernel/signal.c
> @@ -17,6 +17,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/compat.h>
>  #include <linux/errno.h>
>  #include <linux/signal.h>
>  #include <linux/personality.h>
> @@ -25,7 +26,6 @@
>  #include <linux/tracehook.h>
>  #include <linux/ratelimit.h>
>  
> -#include <asm/compat.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/elf.h>
>  #include <asm/cacheflush.h>
> -- 
> 1.8.3.2
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

[PATCH v5 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[Richard Guy Briggs]

On 14/03/15, AKASHI Takahiro wrote:
> Some kernel files may include both linux/compat.h and asm/compat.h directly
> or indirectly. Since both header files contain is_compat_task() under
> !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
> Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
> (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
> implemented).
> 
> So this patch proactively
> 1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
> 2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
>    but asm/compat.h is still necessary in ptrace.c and process.c because
>    they use is_compat_thread().
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

Acked-by: Richard Guy Briggs <rgb@redhat.com>

> ---
>  arch/arm64/include/asm/compat.h   | 5 -----
>  arch/arm64/kernel/hw_breakpoint.c | 2 +-
>  arch/arm64/kernel/process.c       | 1 +
>  arch/arm64/kernel/ptrace.c        | 1 +
>  arch/arm64/kernel/signal.c        | 2 +-
>  5 files changed, 4 insertions(+), 7 deletions(-)
> 
> diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h
> index fda2704..3b334f9 100644
> --- a/arch/arm64/include/asm/compat.h
> +++ b/arch/arm64/include/asm/compat.h
> @@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread)
>  
>  #else /* !CONFIG_COMPAT */
>  
> -static inline int is_compat_task(void)
> -{
> -	return 0;
> -}
> -
>  static inline int is_compat_thread(struct thread_info *thread)
>  {
>  	return 0;
> diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
> index f17f581..a45e2db 100644
> --- a/arch/arm64/kernel/hw_breakpoint.c
> +++ b/arch/arm64/kernel/hw_breakpoint.c
> @@ -20,6 +20,7 @@
>  
>  #define pr_fmt(fmt) "hw-breakpoint: " fmt
>  
> +#include <linux/compat.h>
>  #include <linux/cpu_pm.h>
>  #include <linux/errno.h>
>  #include <linux/hw_breakpoint.h>
> @@ -27,7 +28,6 @@
>  #include <linux/ptrace.h>
>  #include <linux/smp.h>
>  
> -#include <asm/compat.h>
>  #include <asm/current.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/hw_breakpoint.h>
> diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
> index 1c0a9be..fc8a387 100644
> --- a/arch/arm64/kernel/process.c
> +++ b/arch/arm64/kernel/process.c
> @@ -20,6 +20,7 @@
>  
>  #include <stdarg.h>
>  
> +#include <linux/compat.h>
>  #include <linux/export.h>
>  #include <linux/sched.h>
>  #include <linux/kernel.h>
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index f606276..c47a3ed 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -19,6 +19,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/compat.h>
>  #include <linux/kernel.h>
>  #include <linux/sched.h>
>  #include <linux/mm.h>
> diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
> index 890a591..4a09989 100644
> --- a/arch/arm64/kernel/signal.c
> +++ b/arch/arm64/kernel/signal.c
> @@ -17,6 +17,7 @@
>   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
>   */
>  
> +#include <linux/compat.h>
>  #include <linux/errno.h>
>  #include <linux/signal.h>
>  #include <linux/personality.h>
> @@ -25,7 +26,6 @@
>  #include <linux/tracehook.h>
>  #include <linux/ratelimit.h>
>  
> -#include <asm/compat.h>
>  #include <asm/debug-monitors.h>
>  #include <asm/elf.h>
>  #include <asm/cacheflush.h>
> -- 
> 1.8.3.2
> 

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

Re: [PATCH_v8 0/2] arm64: Add audit support

[Don Dutile]

On 03/15/2014 01:49 AM, AKASHI Takahiro wrote:
> (Please apply this patch after my ftrace patch to resolve some conflict
> on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
>
> This patchset adds system call audit support on arm64.
> Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
> are supported. Since arm64 has the exact same set of system calls
> on LE and BE, we don't care about endianness (or more specifically
> __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
>
> There are some prerequisites for this patch to work correctly:
> * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
> * "audit: generic compat system call audit support" patch
> * "arm64: __NR_* definitions for compat syscalls" patch from Catalin
> * "arm64: make a single hook to syscall_trace() for all syscall features" patch
> * "arm64: split syscall_trace() into separate functions for enter/exit" patch
> * "arm64: Add regs_return_value() in syscall.h" patch
> * "arm64: is_compat_task is defined both in asm/compat.h and
>     linux/compat.h" patch
> * userspace audit tool (v2.3.2 + my patch for arm64)
>
and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c
without the patch from  [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint;
My question: do you need all 7 patches from arm64: Add ftrace support
as well for this audit patch to work, or just this 7/7 patch ?


> Please review them as well for better understandings.
>
> This code was tested on both 32-bit and 64-bit LE userland
> in the following two ways:
> 1) basic operations with auditctl/autrace
>    # auditctl -a exit,always -S openat -F path=/etc/inittab
>    # auditctl -a exit,always -F dir=/tmp -F perm=rw
>    # auditctl -a task,always
>    # autrace /bin/ls
>      by comparing output from autrace with one from strace
>
> 2) audit-test-code (+ my workarounds for arm/arm64)
>    by running "audit-tool", "filter" and "syscalls" test categories.
>
> Changes v7 -> v8:
> * aligned with the change in "audit: generic compat system call audit
>    support" v5 [1/2]
> * aligned with the change in "arm64: split syscall_trace() into separate
>    functions for enter/exit" v5 [2/2]
>
> Changes v6 -> v7:
> * changed an include file in syscall.h from <linux/audit.h> to
>    <uapi/linux/audit.h> [1/2]
> * aligned with the patch, "arm64: split syscall_trace() into separate
>    functions for enter/exit" [2/2]
>
> Changes v5 -> v6:
> * removed and put "arm64: Add regs_return_value() in syscall.h" patch into
>    a separate set
> * aligned with the change in "arm64: make a single hook to syscall_trace()
>    for all syscall features" v3 [1/2]
>
> Changes v4 -> v5:
> * rebased to 3.14-rcX
> * added a guard against TIF_SYSCALL_AUDIT [3/3]
> * aligned with the change in "arm64: make a single hook to syscall_trace()
>    for all syscall features" v2 [3/3]
>
> Changes v3 -> v4:
> * Modified to sync with the patch, "make a single hook to syscall_trace()
>    for all syscall features"
> * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>
> Changes v2 -> v3:
> * Remove asm/audit.h.
>    See "generic compat syscall audit support" patch v4
> * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
> * Remove kernel/syscalls/Makefile which was used to create unistd32.h.
>    See Catalin's "Add __NR_* definitions for compat syscalls" patch
>
> Changes v1 -> v2:
> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>    Please note that a required header, unistd_32.h, is automatically
>    generated from unistd32.h.
> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>    system call in audit_syscall_entry() [6/6]
> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>    which was not intentionally included in v1 because it could be added
>    by "kprobes support".
>
> AKASHI Takahiro (2):
>    arm64: Add audit support
>    arm64: audit: Add audit hook in syscall_trace_enter/exit()
>
>   arch/arm64/Kconfig               |  2 ++
>   arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
>   arch/arm64/kernel/ptrace.c       |  7 +++++++
>   include/uapi/linux/audit.h       |  1 +
>   4 files changed, 25 insertions(+)
>

[PATCH_v8 0/2] arm64: Add audit support

[Don Dutile]

On 03/15/2014 01:49 AM, AKASHI Takahiro wrote:
> (Please apply this patch after my ftrace patch to resolve some conflict
> on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
>
> This patchset adds system call audit support on arm64.
> Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
> are supported. Since arm64 has the exact same set of system calls
> on LE and BE, we don't care about endianness (or more specifically
> __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
>
> There are some prerequisites for this patch to work correctly:
> * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
> * "audit: generic compat system call audit support" patch
> * "arm64: __NR_* definitions for compat syscalls" patch from Catalin
> * "arm64: make a single hook to syscall_trace() for all syscall features" patch
> * "arm64: split syscall_trace() into separate functions for enter/exit" patch
> * "arm64: Add regs_return_value() in syscall.h" patch
> * "arm64: is_compat_task is defined both in asm/compat.h and
>     linux/compat.h" patch
> * userspace audit tool (v2.3.2 + my patch for arm64)
>
and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c
without the patch from  [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint;
My question: do you need all 7 patches from arm64: Add ftrace support
as well for this audit patch to work, or just this 7/7 patch ?


> Please review them as well for better understandings.
>
> This code was tested on both 32-bit and 64-bit LE userland
> in the following two ways:
> 1) basic operations with auditctl/autrace
>    # auditctl -a exit,always -S openat -F path=/etc/inittab
>    # auditctl -a exit,always -F dir=/tmp -F perm=rw
>    # auditctl -a task,always
>    # autrace /bin/ls
>      by comparing output from autrace with one from strace
>
> 2) audit-test-code (+ my workarounds for arm/arm64)
>    by running "audit-tool", "filter" and "syscalls" test categories.
>
> Changes v7 -> v8:
> * aligned with the change in "audit: generic compat system call audit
>    support" v5 [1/2]
> * aligned with the change in "arm64: split syscall_trace() into separate
>    functions for enter/exit" v5 [2/2]
>
> Changes v6 -> v7:
> * changed an include file in syscall.h from <linux/audit.h> to
>    <uapi/linux/audit.h> [1/2]
> * aligned with the patch, "arm64: split syscall_trace() into separate
>    functions for enter/exit" [2/2]
>
> Changes v5 -> v6:
> * removed and put "arm64: Add regs_return_value() in syscall.h" patch into
>    a separate set
> * aligned with the change in "arm64: make a single hook to syscall_trace()
>    for all syscall features" v3 [1/2]
>
> Changes v4 -> v5:
> * rebased to 3.14-rcX
> * added a guard against TIF_SYSCALL_AUDIT [3/3]
> * aligned with the change in "arm64: make a single hook to syscall_trace()
>    for all syscall features" v2 [3/3]
>
> Changes v3 -> v4:
> * Modified to sync with the patch, "make a single hook to syscall_trace()
>    for all syscall features"
> * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>
> Changes v2 -> v3:
> * Remove asm/audit.h.
>    See "generic compat syscall audit support" patch v4
> * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
> * Remove kernel/syscalls/Makefile which was used to create unistd32.h.
>    See Catalin's "Add __NR_* definitions for compat syscalls" patch
>
> Changes v1 -> v2:
> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>    Please note that a required header, unistd_32.h, is automatically
>    generated from unistd32.h.
> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>    system call in audit_syscall_entry() [6/6]
> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>    which was not intentionally included in v1 because it could be added
>    by "kprobes support".
>
> AKASHI Takahiro (2):
>    arm64: Add audit support
>    arm64: audit: Add audit hook in syscall_trace_enter/exit()
>
>   arch/arm64/Kconfig               |  2 ++
>   arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
>   arch/arm64/kernel/ptrace.c       |  7 +++++++
>   include/uapi/linux/audit.h       |  1 +
>   4 files changed, 25 insertions(+)
>

Re: [PATCH_v8 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[Will Deacon]

On Sat, Mar 15, 2014 at 05:49:08AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

I think I already acked this patch.

Will

Re: [PATCH_v8 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[Will Deacon]

On Sat, Mar 15, 2014 at 05:49:08AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

I think I already acked this patch.

Will

[PATCH_v8 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[Will Deacon]

On Sat, Mar 15, 2014 at 05:49:08AM +0000, AKASHI Takahiro wrote:
> This patch adds auditing functions on entry to or exit from
> every system call invocation.
> 
> Acked-by: Richard Guy Briggs <rgb@redhat.com>
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

I think I already acked this patch.

Will

Re: [PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[Will Deacon]

Hi Akashi,

On Sat, Mar 15, 2014 at 05:39:06AM +0000, AKASHI Takahiro wrote:
> As done in arm, this change makes it easy to confirm we invoke syscall
> related hooks, including syscall tracepoint, audit and seccomp which would
> be implemented later, in correct order. That is, undoing operations in the
> opposite order on exit that they were done on entry.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

[...]

> +static void tracehook_report_syscall(struct pt_regs *regs,
> +				     enum ptrace_syscall_dir dir)
>  {
> +	int scrach;

s/scrach/scratch/

Although, I'd rather have a variable with a more meaningful name. How about
regno?

With that,

  Acked-by: Will Deacon <will.deacon@arm.com>

Cheers,

Will

Re: [PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[Will Deacon]

Hi Akashi,

On Sat, Mar 15, 2014 at 05:39:06AM +0000, AKASHI Takahiro wrote:
> As done in arm, this change makes it easy to confirm we invoke syscall
> related hooks, including syscall tracepoint, audit and seccomp which would
> be implemented later, in correct order. That is, undoing operations in the
> opposite order on exit that they were done on entry.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

[...]

> +static void tracehook_report_syscall(struct pt_regs *regs,
> +				     enum ptrace_syscall_dir dir)
>  {
> +	int scrach;

s/scrach/scratch/

Although, I'd rather have a variable with a more meaningful name. How about
regno?

With that,

  Acked-by: Will Deacon <will.deacon@arm.com>

Cheers,

Will

[PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[Will Deacon]

Hi Akashi,

On Sat, Mar 15, 2014 at 05:39:06AM +0000, AKASHI Takahiro wrote:
> As done in arm, this change makes it easy to confirm we invoke syscall
> related hooks, including syscall tracepoint, audit and seccomp which would
> be implemented later, in correct order. That is, undoing operations in the
> opposite order on exit that they were done on entry.
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

[...]

> +static void tracehook_report_syscall(struct pt_regs *regs,
> +				     enum ptrace_syscall_dir dir)
>  {
> +	int scrach;

s/scrach/scratch/

Although, I'd rather have a variable with a more meaningful name. How about
regno?

With that,

  Acked-by: Will Deacon <will.deacon@arm.com>

Cheers,

Will

Re: [PATCH v5 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[Will Deacon]

On Sat, Mar 15, 2014 at 05:39:08AM +0000, AKASHI Takahiro wrote:
> Some kernel files may include both linux/compat.h and asm/compat.h directly
> or indirectly. Since both header files contain is_compat_task() under
> !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
> Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
> (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
> implemented).
> 
> So this patch proactively
> 1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
> 2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
>    but asm/compat.h is still necessary in ptrace.c and process.c because
>    they use is_compat_thread().
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH v5 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[Will Deacon]

On Sat, Mar 15, 2014 at 05:39:08AM +0000, AKASHI Takahiro wrote:
> Some kernel files may include both linux/compat.h and asm/compat.h directly
> or indirectly. Since both header files contain is_compat_task() under
> !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
> Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
> (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
> implemented).
> 
> So this patch proactively
> 1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
> 2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
>    but asm/compat.h is still necessary in ptrace.c and process.c because
>    they use is_compat_thread().
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

[PATCH v5 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[Will Deacon]

On Sat, Mar 15, 2014 at 05:39:08AM +0000, AKASHI Takahiro wrote:
> Some kernel files may include both linux/compat.h and asm/compat.h directly
> or indirectly. Since both header files contain is_compat_task() under
> !CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
> Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
> (do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
> implemented).
> 
> So this patch proactively
> 1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
> 2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
>    but asm/compat.h is still necessary in ptrace.c and process.c because
>    they use is_compat_thread().
> 
> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>

  Acked-by: Will Deacon <will.deacon@arm.com>

Will

Re: [PATCH_v8 0/2] arm64: Add audit support

[AKASHI Takahiro]

Hi Don,

Sorry for not responding to you soon:

On 04/12/2014 06:37 AM, Don Dutile wrote:
> On 03/15/2014 01:49 AM, AKASHI Takahiro wrote:
>> (Please apply this patch after my ftrace patch to resolve some conflict
>> on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
>>
>> This patchset adds system call audit support on arm64.
>> Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
>> are supported. Since arm64 has the exact same set of system calls
>> on LE and BE, we don't care about endianness (or more specifically
>> __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
>>
>> There are some prerequisites for this patch to work correctly:
>> * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>> * "audit: generic compat system call audit support" patch
>> * "arm64: __NR_* definitions for compat syscalls" patch from Catalin
>> * "arm64: make a single hook to syscall_trace() for all syscall features" patch
>> * "arm64: split syscall_trace() into separate functions for enter/exit" patch
>> * "arm64: Add regs_return_value() in syscall.h" patch
>> * "arm64: is_compat_task is defined both in asm/compat.h and
>>     linux/compat.h" patch
>> * userspace audit tool (v2.3.2 + my patch for arm64)
>>
> and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c
> without the patch from  [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint;
> My question: do you need all 7 patches from arm64: Add ftrace support
> as well for this audit patch to work, or just this 7/7 patch ?

Functionally, my audit patch should work without ftrace patchset, but as described
in ftrace's [0/7] and audit's [0/2], audit's [2/2] assumes that ftrace patchset, especially
[7/7], has been applied in order to avoid any conflict when making changes on the same
line of ptrace.c.

Thanks,
-Takahiro AKASHI

>
>> Please review them as well for better understandings.
>>
>> This code was tested on both 32-bit and 64-bit LE userland
>> in the following two ways:
>> 1) basic operations with auditctl/autrace
>>    # auditctl -a exit,always -S openat -F path=/etc/inittab
>>    # auditctl -a exit,always -F dir=/tmp -F perm=rw
>>    # auditctl -a task,always
>>    # autrace /bin/ls
>>      by comparing output from autrace with one from strace
>>
>> 2) audit-test-code (+ my workarounds for arm/arm64)
>>    by running "audit-tool", "filter" and "syscalls" test categories.
>>
>> Changes v7 -> v8:
>> * aligned with the change in "audit: generic compat system call audit
>>    support" v5 [1/2]
>> * aligned with the change in "arm64: split syscall_trace() into separate
>>    functions for enter/exit" v5 [2/2]
>>
>> Changes v6 -> v7:
>> * changed an include file in syscall.h from <linux/audit.h> to
>>    <uapi/linux/audit.h> [1/2]
>> * aligned with the patch, "arm64: split syscall_trace() into separate
>>    functions for enter/exit" [2/2]
>>
>> Changes v5 -> v6:
>> * removed and put "arm64: Add regs_return_value() in syscall.h" patch into
>>    a separate set
>> * aligned with the change in "arm64: make a single hook to syscall_trace()
>>    for all syscall features" v3 [1/2]
>>
>> Changes v4 -> v5:
>> * rebased to 3.14-rcX
>> * added a guard against TIF_SYSCALL_AUDIT [3/3]
>> * aligned with the change in "arm64: make a single hook to syscall_trace()
>>    for all syscall features" v2 [3/3]
>>
>> Changes v3 -> v4:
>> * Modified to sync with the patch, "make a single hook to syscall_trace()
>>    for all syscall features"
>> * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>>
>> Changes v2 -> v3:
>> * Remove asm/audit.h.
>>    See "generic compat syscall audit support" patch v4
>> * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
>> * Remove kernel/syscalls/Makefile which was used to create unistd32.h.
>>    See Catalin's "Add __NR_* definitions for compat syscalls" patch
>>
>> Changes v1 -> v2:
>> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>>    Please note that a required header, unistd_32.h, is automatically
>>    generated from unistd32.h.
>> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>>    system call in audit_syscall_entry() [6/6]
>> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>>    which was not intentionally included in v1 because it could be added
>>    by "kprobes support".
>>
>> AKASHI Takahiro (2):
>>    arm64: Add audit support
>>    arm64: audit: Add audit hook in syscall_trace_enter/exit()
>>
>>   arch/arm64/Kconfig               |  2 ++
>>   arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
>>   arch/arm64/kernel/ptrace.c       |  7 +++++++
>>   include/uapi/linux/audit.h       |  1 +
>>   4 files changed, 25 insertions(+)
>>
>

[PATCH_v8 0/2] arm64: Add audit support

[AKASHI Takahiro]

Hi Don,

Sorry for not responding to you soon:

On 04/12/2014 06:37 AM, Don Dutile wrote:
> On 03/15/2014 01:49 AM, AKASHI Takahiro wrote:
>> (Please apply this patch after my ftrace patch to resolve some conflict
>> on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
>>
>> This patchset adds system call audit support on arm64.
>> Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
>> are supported. Since arm64 has the exact same set of system calls
>> on LE and BE, we don't care about endianness (or more specifically
>> __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
>>
>> There are some prerequisites for this patch to work correctly:
>> * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>> * "audit: generic compat system call audit support" patch
>> * "arm64: __NR_* definitions for compat syscalls" patch from Catalin
>> * "arm64: make a single hook to syscall_trace() for all syscall features" patch
>> * "arm64: split syscall_trace() into separate functions for enter/exit" patch
>> * "arm64: Add regs_return_value() in syscall.h" patch
>> * "arm64: is_compat_task is defined both in asm/compat.h and
>>     linux/compat.h" patch
>> * userspace audit tool (v2.3.2 + my patch for arm64)
>>
> and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c
> without the patch from  [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint;
> My question: do you need all 7 patches from arm64: Add ftrace support
> as well for this audit patch to work, or just this 7/7 patch ?

Functionally, my audit patch should work without ftrace patchset, but as described
in ftrace's [0/7] and audit's [0/2], audit's [2/2] assumes that ftrace patchset, especially
[7/7], has been applied in order to avoid any conflict when making changes on the same
line of ptrace.c.

Thanks,
-Takahiro AKASHI

>
>> Please review them as well for better understandings.
>>
>> This code was tested on both 32-bit and 64-bit LE userland
>> in the following two ways:
>> 1) basic operations with auditctl/autrace
>>    # auditctl -a exit,always -S openat -F path=/etc/inittab
>>    # auditctl -a exit,always -F dir=/tmp -F perm=rw
>>    # auditctl -a task,always
>>    # autrace /bin/ls
>>      by comparing output from autrace with one from strace
>>
>> 2) audit-test-code (+ my workarounds for arm/arm64)
>>    by running "audit-tool", "filter" and "syscalls" test categories.
>>
>> Changes v7 -> v8:
>> * aligned with the change in "audit: generic compat system call audit
>>    support" v5 [1/2]
>> * aligned with the change in "arm64: split syscall_trace() into separate
>>    functions for enter/exit" v5 [2/2]
>>
>> Changes v6 -> v7:
>> * changed an include file in syscall.h from <linux/audit.h> to
>>    <uapi/linux/audit.h> [1/2]
>> * aligned with the patch, "arm64: split syscall_trace() into separate
>>    functions for enter/exit" [2/2]
>>
>> Changes v5 -> v6:
>> * removed and put "arm64: Add regs_return_value() in syscall.h" patch into
>>    a separate set
>> * aligned with the change in "arm64: make a single hook to syscall_trace()
>>    for all syscall features" v3 [1/2]
>>
>> Changes v4 -> v5:
>> * rebased to 3.14-rcX
>> * added a guard against TIF_SYSCALL_AUDIT [3/3]
>> * aligned with the change in "arm64: make a single hook to syscall_trace()
>>    for all syscall features" v2 [3/3]
>>
>> Changes v3 -> v4:
>> * Modified to sync with the patch, "make a single hook to syscall_trace()
>>    for all syscall features"
>> * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>>
>> Changes v2 -> v3:
>> * Remove asm/audit.h.
>>    See "generic compat syscall audit support" patch v4
>> * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
>> * Remove kernel/syscalls/Makefile which was used to create unistd32.h.
>>    See Catalin's "Add __NR_* definitions for compat syscalls" patch
>>
>> Changes v1 -> v2:
>> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>>    Please note that a required header, unistd_32.h, is automatically
>>    generated from unistd32.h.
>> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>>    system call in audit_syscall_entry() [6/6]
>> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>>    which was not intentionally included in v1 because it could be added
>>    by "kprobes support".
>>
>> AKASHI Takahiro (2):
>>    arm64: Add audit support
>>    arm64: audit: Add audit hook in syscall_trace_enter/exit()
>>
>>   arch/arm64/Kconfig               |  2 ++
>>   arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
>>   arch/arm64/kernel/ptrace.c       |  7 +++++++
>>   include/uapi/linux/audit.h       |  1 +
>>   4 files changed, 25 insertions(+)
>>
>

Re: [PATCH_v8 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[AKASHI Takahiro]

On 04/16/2014 08:30 PM, Will Deacon wrote:
> On Sat, Mar 15, 2014 at 05:49:08AM +0000, AKASHI Takahiro wrote:
>> This patch adds auditing functions on entry to or exit from
>> every system call invocation.
>>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> I think I already acked this patch.

Oh, yeah? Thanks.
-Takahiro AKASHI

> Will
>

Re: [PATCH_v8 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[AKASHI Takahiro]

On 04/16/2014 08:30 PM, Will Deacon wrote:
> On Sat, Mar 15, 2014 at 05:49:08AM +0000, AKASHI Takahiro wrote:
>> This patch adds auditing functions on entry to or exit from
>> every system call invocation.
>>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> I think I already acked this patch.

Oh, yeah? Thanks.
-Takahiro AKASHI

> Will
>

[PATCH_v8 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[AKASHI Takahiro]

On 04/16/2014 08:30 PM, Will Deacon wrote:
> On Sat, Mar 15, 2014 at 05:49:08AM +0000, AKASHI Takahiro wrote:
>> This patch adds auditing functions on entry to or exit from
>> every system call invocation.
>>
>> Acked-by: Richard Guy Briggs <rgb@redhat.com>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> I think I already acked this patch.

Oh, yeah? Thanks.
-Takahiro AKASHI

> Will
>

Re: [PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

On 04/16/2014 10:27 PM, Will Deacon wrote:
> Hi Akashi,
>
> On Sat, Mar 15, 2014 at 05:39:06AM +0000, AKASHI Takahiro wrote:
>> As done in arm, this change makes it easy to confirm we invoke syscall
>> related hooks, including syscall tracepoint, audit and seccomp which would
>> be implemented later, in correct order. That is, undoing operations in the
>> opposite order on exit that they were done on entry.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> [...]
>
>> +static void tracehook_report_syscall(struct pt_regs *regs,
>> +				     enum ptrace_syscall_dir dir)
>>   {
>> +	int scrach;
>
> s/scrach/scratch/

I will fix it.

> Although, I'd rather have a variable with a more meaningful name. How about
> regno?

OK, I will use regno in the next revision, which I will submit soon.

> With that,
>
>    Acked-by: Will Deacon <will.deacon@arm.com>

Thank you so much,
-Takahiro AKASHI

> Cheers,
>
> Will
>

Re: [PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

On 04/16/2014 10:27 PM, Will Deacon wrote:
> Hi Akashi,
>
> On Sat, Mar 15, 2014 at 05:39:06AM +0000, AKASHI Takahiro wrote:
>> As done in arm, this change makes it easy to confirm we invoke syscall
>> related hooks, including syscall tracepoint, audit and seccomp which would
>> be implemented later, in correct order. That is, undoing operations in the
>> opposite order on exit that they were done on entry.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> [...]
>
>> +static void tracehook_report_syscall(struct pt_regs *regs,
>> +				     enum ptrace_syscall_dir dir)
>>   {
>> +	int scrach;
>
> s/scrach/scratch/

I will fix it.

> Although, I'd rather have a variable with a more meaningful name. How about
> regno?

OK, I will use regno in the next revision, which I will submit soon.

> With that,
>
>    Acked-by: Will Deacon <will.deacon@arm.com>

Thank you so much,
-Takahiro AKASHI

> Cheers,
>
> Will
>

[PATCH v5 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

On 04/16/2014 10:27 PM, Will Deacon wrote:
> Hi Akashi,
>
> On Sat, Mar 15, 2014 at 05:39:06AM +0000, AKASHI Takahiro wrote:
>> As done in arm, this change makes it easy to confirm we invoke syscall
>> related hooks, including syscall tracepoint, audit and seccomp which would
>> be implemented later, in correct order. That is, undoing operations in the
>> opposite order on exit that they were done on entry.
>>
>> Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
>
> [...]
>
>> +static void tracehook_report_syscall(struct pt_regs *regs,
>> +				     enum ptrace_syscall_dir dir)
>>   {
>> +	int scrach;
>
> s/scrach/scratch/

I will fix it.

> Although, I'd rather have a variable with a more meaningful name. How about
> regno?

OK, I will use regno in the next revision, which I will submit soon.

> With that,
>
>    Acked-by: Will Deacon <will.deacon@arm.com>

Thank you so much,
-Takahiro AKASHI

> Cheers,
>
> Will
>

Re: [PATCH_v8 0/2] arm64: Add audit support

[Don Dutile]

On 04/28/2014 05:51 AM, AKASHI Takahiro wrote:
> Hi Don,
>
> Sorry for not responding to you soon:
>
been there, done that! .. no problem..

> On 04/12/2014 06:37 AM, Don Dutile wrote:
>> On 03/15/2014 01:49 AM, AKASHI Takahiro wrote:
>>> (Please apply this patch after my ftrace patch to resolve some conflict
>>> on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
>>>
>>> This patchset adds system call audit support on arm64.
>>> Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
>>> are supported. Since arm64 has the exact same set of system calls
>>> on LE and BE, we don't care about endianness (or more specifically
>>> __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
>>>
>>> There are some prerequisites for this patch to work correctly:
>>> * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>>> * "audit: generic compat system call audit support" patch
>>> * "arm64: __NR_* definitions for compat syscalls" patch from Catalin
>>> * "arm64: make a single hook to syscall_trace() for all syscall features" patch
>>> * "arm64: split syscall_trace() into separate functions for enter/exit" patch
>>> * "arm64: Add regs_return_value() in syscall.h" patch
>>> * "arm64: is_compat_task is defined both in asm/compat.h and
>>>     linux/compat.h" patch
>>> * userspace audit tool (v2.3.2 + my patch for arm64)
>>>
>> and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c
>> without the patch from  [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint;
>> My question: do you need all 7 patches from arm64: Add ftrace support
>> as well for this audit patch to work, or just this 7/7 patch ?
>
> Functionally, my audit patch should work without ftrace patchset, but as described
> in ftrace's [0/7] and audit's [0/2], audit's [2/2] assumes that ftrace patchset, especially
> [7/7], has been applied in order to avoid any conflict when making changes on the same
> line of ptrace.c.
>
> Thanks,
> -Takahiro AKASHI
>
just a nit for others to see/know if they were having the same fun of
backporting these patches to work on an existing kernel w/o ftrace patch set.

>>
>>> Please review them as well for better understandings.
>>>
>>> This code was tested on both 32-bit and 64-bit LE userland
>>> in the following two ways:
>>> 1) basic operations with auditctl/autrace
>>>    # auditctl -a exit,always -S openat -F path=/etc/inittab
>>>    # auditctl -a exit,always -F dir=/tmp -F perm=rw
>>>    # auditctl -a task,always
>>>    # autrace /bin/ls
>>>      by comparing output from autrace with one from strace
>>>
>>> 2) audit-test-code (+ my workarounds for arm/arm64)
>>>    by running "audit-tool", "filter" and "syscalls" test categories.
>>>
>>> Changes v7 -> v8:
>>> * aligned with the change in "audit: generic compat system call audit
>>>    support" v5 [1/2]
>>> * aligned with the change in "arm64: split syscall_trace() into separate
>>>    functions for enter/exit" v5 [2/2]
>>>
>>> Changes v6 -> v7:
>>> * changed an include file in syscall.h from <linux/audit.h> to
>>>    <uapi/linux/audit.h> [1/2]
>>> * aligned with the patch, "arm64: split syscall_trace() into separate
>>>    functions for enter/exit" [2/2]
>>>
>>> Changes v5 -> v6:
>>> * removed and put "arm64: Add regs_return_value() in syscall.h" patch into
>>>    a separate set
>>> * aligned with the change in "arm64: make a single hook to syscall_trace()
>>>    for all syscall features" v3 [1/2]
>>>
>>> Changes v4 -> v5:
>>> * rebased to 3.14-rcX
>>> * added a guard against TIF_SYSCALL_AUDIT [3/3]
>>> * aligned with the change in "arm64: make a single hook to syscall_trace()
>>>    for all syscall features" v2 [3/3]
>>>
>>> Changes v3 -> v4:
>>> * Modified to sync with the patch, "make a single hook to syscall_trace()
>>>    for all syscall features"
>>> * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>>>
>>> Changes v2 -> v3:
>>> * Remove asm/audit.h.
>>>    See "generic compat syscall audit support" patch v4
>>> * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
>>> * Remove kernel/syscalls/Makefile which was used to create unistd32.h.
>>>    See Catalin's "Add __NR_* definitions for compat syscalls" patch
>>>
>>> Changes v1 -> v2:
>>> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>>>    Please note that a required header, unistd_32.h, is automatically
>>>    generated from unistd32.h.
>>> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>>>    system call in audit_syscall_entry() [6/6]
>>> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>>>    which was not intentionally included in v1 because it could be added
>>>    by "kprobes support".
>>>
>>> AKASHI Takahiro (2):
>>>    arm64: Add audit support
>>>    arm64: audit: Add audit hook in syscall_trace_enter/exit()
>>>
>>>   arch/arm64/Kconfig               |  2 ++
>>>   arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
>>>   arch/arm64/kernel/ptrace.c       |  7 +++++++
>>>   include/uapi/linux/audit.h       |  1 +
>>>   4 files changed, 25 insertions(+)
>>>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

[PATCH_v8 0/2] arm64: Add audit support

[Don Dutile]

On 04/28/2014 05:51 AM, AKASHI Takahiro wrote:
> Hi Don,
>
> Sorry for not responding to you soon:
>
been there, done that! .. no problem..

> On 04/12/2014 06:37 AM, Don Dutile wrote:
>> On 03/15/2014 01:49 AM, AKASHI Takahiro wrote:
>>> (Please apply this patch after my ftrace patch to resolve some conflict
>>> on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)
>>>
>>> This patchset adds system call audit support on arm64.
>>> Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
>>> are supported. Since arm64 has the exact same set of system calls
>>> on LE and BE, we don't care about endianness (or more specifically
>>> __AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).
>>>
>>> There are some prerequisites for this patch to work correctly:
>>> * "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>>> * "audit: generic compat system call audit support" patch
>>> * "arm64: __NR_* definitions for compat syscalls" patch from Catalin
>>> * "arm64: make a single hook to syscall_trace() for all syscall features" patch
>>> * "arm64: split syscall_trace() into separate functions for enter/exit" patch
>>> * "arm64: Add regs_return_value() in syscall.h" patch
>>> * "arm64: is_compat_task is defined both in asm/compat.h and
>>>     linux/compat.h" patch
>>> * userspace audit tool (v2.3.2 + my patch for arm64)
>>>
>> and the 2/2 patch won't apply to arch/arm64/kernel/ptrace.c
>> without the patch from  [PATCH v7 7/7] arm64: ftrace: Add system call tracepoint;
>> My question: do you need all 7 patches from arm64: Add ftrace support
>> as well for this audit patch to work, or just this 7/7 patch ?
>
> Functionally, my audit patch should work without ftrace patchset, but as described
> in ftrace's [0/7] and audit's [0/2], audit's [2/2] assumes that ftrace patchset, especially
> [7/7], has been applied in order to avoid any conflict when making changes on the same
> line of ptrace.c.
>
> Thanks,
> -Takahiro AKASHI
>
just a nit for others to see/know if they were having the same fun of
backporting these patches to work on an existing kernel w/o ftrace patch set.

>>
>>> Please review them as well for better understandings.
>>>
>>> This code was tested on both 32-bit and 64-bit LE userland
>>> in the following two ways:
>>> 1) basic operations with auditctl/autrace
>>>    # auditctl -a exit,always -S openat -F path=/etc/inittab
>>>    # auditctl -a exit,always -F dir=/tmp -F perm=rw
>>>    # auditctl -a task,always
>>>    # autrace /bin/ls
>>>      by comparing output from autrace with one from strace
>>>
>>> 2) audit-test-code (+ my workarounds for arm/arm64)
>>>    by running "audit-tool", "filter" and "syscalls" test categories.
>>>
>>> Changes v7 -> v8:
>>> * aligned with the change in "audit: generic compat system call audit
>>>    support" v5 [1/2]
>>> * aligned with the change in "arm64: split syscall_trace() into separate
>>>    functions for enter/exit" v5 [2/2]
>>>
>>> Changes v6 -> v7:
>>> * changed an include file in syscall.h from <linux/audit.h> to
>>>    <uapi/linux/audit.h> [1/2]
>>> * aligned with the patch, "arm64: split syscall_trace() into separate
>>>    functions for enter/exit" [2/2]
>>>
>>> Changes v5 -> v6:
>>> * removed and put "arm64: Add regs_return_value() in syscall.h" patch into
>>>    a separate set
>>> * aligned with the change in "arm64: make a single hook to syscall_trace()
>>>    for all syscall features" v3 [1/2]
>>>
>>> Changes v4 -> v5:
>>> * rebased to 3.14-rcX
>>> * added a guard against TIF_SYSCALL_AUDIT [3/3]
>>> * aligned with the change in "arm64: make a single hook to syscall_trace()
>>>    for all syscall features" v2 [3/3]
>>>
>>> Changes v3 -> v4:
>>> * Modified to sync with the patch, "make a single hook to syscall_trace()
>>>    for all syscall features"
>>> * aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
>>>
>>> Changes v2 -> v3:
>>> * Remove asm/audit.h.
>>>    See "generic compat syscall audit support" patch v4
>>> * Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
>>> * Remove kernel/syscalls/Makefile which was used to create unistd32.h.
>>>    See Catalin's "Add __NR_* definitions for compat syscalls" patch
>>>
>>> Changes v1 -> v2:
>>> * Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
>>>    Please note that a required header, unistd_32.h, is automatically
>>>    generated from unistd32.h.
>>> * Refer to regs->orig_x0 instead of regs->x0 as the first argument of
>>>    system call in audit_syscall_entry() [6/6]
>>> * Include "Add regs_return_value() in syscall.h" patch [2/6],
>>>    which was not intentionally included in v1 because it could be added
>>>    by "kprobes support".
>>>
>>> AKASHI Takahiro (2):
>>>    arm64: Add audit support
>>>    arm64: audit: Add audit hook in syscall_trace_enter/exit()
>>>
>>>   arch/arm64/Kconfig               |  2 ++
>>>   arch/arm64/include/asm/syscall.h | 15 +++++++++++++++
>>>   arch/arm64/kernel/ptrace.c       |  7 +++++++
>>>   include/uapi/linux/audit.h       |  1 +
>>>   4 files changed, 25 insertions(+)
>>>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

[PATCH v6 0/4] arm64: prerequisites for audit and ftrace

[AKASHI Takahiro]

(This patchset was already acked by the maintainer along with a minor typo
fix. See below.)

This patchset contains some patches commonly applied for audit and ftrace.

Patch [1/4] defines syscall trace related TIF_* flags in order to add hooks,
including ftrace, audit and seccomp, later on.  Those features will be
implemented in separate patchsets, but it's safe to check for all TIF_*
now because they can not be turned on anyway.

Patch [2/4] doesn't change a behavior but make it easy and manageable to
confirm we invoke those hooks in correct order by splitting syscall_trace().

Patch [3/4] adds a commonly used function, which returns a return value of
system call.

Patch [4/4] removes is_compat_task from asm/compat.h to avoid conflicted
definitions.

Changes v5 -> v6:
* renamed a temporary variable's name to more meaningful one [2/4]

Changes v4 -> v5:
* added the following patch from my seccomp patch since it is required for
  audit and ftrace in case of !COMPAT, too. [4/4]
  "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h"

Changes v3 -> v4:
* added "arm64: split syscall_trace() into separate functions for enter/
  exit", which is just a preparation for adding syscall trace hooks later.

Changes v2 -> v3:
* reverted a change in syscall_trace() in v1 [1/2]
* added "arm64: Add regs_return_value() in syscall.h" patch which was
  previously included in audit patch [2/2]

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

AKASHI Takahiro (4):
  arm64: make a single hook to syscall_trace() for all syscall features
  arm64: split syscall_trace() into separate functions for enter/exit
  arm64: Add regs_return_value() in syscall.h
  arm64: is_compat_task is defined both in asm/compat.h and
    linux/compat.h

 arch/arm64/include/asm/compat.h      |    5 ----
 arch/arm64/include/asm/ptrace.h      |    5 ++++
 arch/arm64/include/asm/thread_info.h |   13 +++++++++
 arch/arm64/kernel/entry.S            |   15 +++++-----
 arch/arm64/kernel/hw_breakpoint.c    |    2 +-
 arch/arm64/kernel/process.c          |    1 +
 arch/arm64/kernel/ptrace.c           |   51 ++++++++++++++++++++--------------
 arch/arm64/kernel/signal.c           |    2 +-
 8 files changed, 58 insertions(+), 36 deletions(-)

-- 
1.7.9.5

[PATCH v6 0/4] arm64: prerequisites for audit and ftrace

[AKASHI Takahiro]

(This patchset was already acked by the maintainer along with a minor typo
fix. See below.)

This patchset contains some patches commonly applied for audit and ftrace.

Patch [1/4] defines syscall trace related TIF_* flags in order to add hooks,
including ftrace, audit and seccomp, later on.  Those features will be
implemented in separate patchsets, but it's safe to check for all TIF_*
now because they can not be turned on anyway.

Patch [2/4] doesn't change a behavior but make it easy and manageable to
confirm we invoke those hooks in correct order by splitting syscall_trace().

Patch [3/4] adds a commonly used function, which returns a return value of
system call.

Patch [4/4] removes is_compat_task from asm/compat.h to avoid conflicted
definitions.

Changes v5 -> v6:
* renamed a temporary variable's name to more meaningful one [2/4]

Changes v4 -> v5:
* added the following patch from my seccomp patch since it is required for
  audit and ftrace in case of !COMPAT, too. [4/4]
  "arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h"

Changes v3 -> v4:
* added "arm64: split syscall_trace() into separate functions for enter/
  exit", which is just a preparation for adding syscall trace hooks later.

Changes v2 -> v3:
* reverted a change in syscall_trace() in v1 [1/2]
* added "arm64: Add regs_return_value() in syscall.h" patch which was
  previously included in audit patch [2/2]

Changes v1 -> v2:
* added a guard against TIF_SYSCALL_TRACE at tracehook_report_syscall_*()
* renamed _TIF_WORK_SYSCALL to _TIF_SYSCALL_WORK

AKASHI Takahiro (4):
  arm64: make a single hook to syscall_trace() for all syscall features
  arm64: split syscall_trace() into separate functions for enter/exit
  arm64: Add regs_return_value() in syscall.h
  arm64: is_compat_task is defined both in asm/compat.h and
    linux/compat.h

 arch/arm64/include/asm/compat.h      |    5 ----
 arch/arm64/include/asm/ptrace.h      |    5 ++++
 arch/arm64/include/asm/thread_info.h |   13 +++++++++
 arch/arm64/kernel/entry.S            |   15 +++++-----
 arch/arm64/kernel/hw_breakpoint.c    |    2 +-
 arch/arm64/kernel/process.c          |    1 +
 arch/arm64/kernel/ptrace.c           |   51 ++++++++++++++++++++--------------
 arch/arm64/kernel/signal.c           |    2 +-
 8 files changed, 58 insertions(+), 36 deletions(-)

-- 
1.7.9.5

[PATCH v6 1/4] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 39ac630..f9f2cae 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
-- 
1.7.9.5

[PATCH v6 1/4] arm64: make a single hook to syscall_trace() for all syscall features

[AKASHI Takahiro]

Currently syscall_trace() is called only for ptrace.
With additional TIF_xx flags defined, it is now called in all the cases
of audit, ftrace and seccomp in addition to ptrace.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/thread_info.h |   13 +++++++++++++
 arch/arm64/kernel/entry.S            |    5 +++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/include/asm/thread_info.h b/arch/arm64/include/asm/thread_info.h
index 720e70b..0a8b2a9 100644
--- a/arch/arm64/include/asm/thread_info.h
+++ b/arch/arm64/include/asm/thread_info.h
@@ -91,6 +91,9 @@ static inline struct thread_info *current_thread_info(void)
 /*
  * thread information flags:
  *  TIF_SYSCALL_TRACE	- syscall trace active
+ *  TIF_SYSCALL_TRACEPOINT - syscall tracepoint for ftrace
+ *  TIF_SYSCALL_AUDIT	- syscall auditing
+ *  TIF_SECOMP		- syscall secure computing
  *  TIF_SIGPENDING	- signal pending
  *  TIF_NEED_RESCHED	- rescheduling necessary
  *  TIF_NOTIFY_RESUME	- callback before returning to user
@@ -101,6 +104,9 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_NEED_RESCHED	1
 #define TIF_NOTIFY_RESUME	2	/* callback before returning to user */
 #define TIF_SYSCALL_TRACE	8
+#define TIF_SYSCALL_AUDIT	9
+#define TIF_SYSCALL_TRACEPOINT	10
+#define TIF_SECCOMP		11
 #define TIF_POLLING_NRFLAG	16
 #define TIF_MEMDIE		18	/* is terminating due to OOM killer */
 #define TIF_FREEZE		19
@@ -112,10 +118,17 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1 << TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1 << TIF_NEED_RESCHED)
 #define _TIF_NOTIFY_RESUME	(1 << TIF_NOTIFY_RESUME)
+#define _TIF_SYSCALL_TRACE	(1 << TIF_SYSCALL_TRACE)
+#define _TIF_SYSCALL_AUDIT	(1 << TIF_SYSCALL_AUDIT)
+#define _TIF_SYSCALL_TRACEPOINT	(1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SECCOMP		(1 << TIF_SECCOMP)
 #define _TIF_32BIT		(1 << TIF_32BIT)
 
 #define _TIF_WORK_MASK		(_TIF_NEED_RESCHED | _TIF_SIGPENDING | \
 				 _TIF_NOTIFY_RESUME)
 
+#define _TIF_SYSCALL_WORK	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
+				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+
 #endif /* __KERNEL__ */
 #endif /* __ASM_THREAD_INFO_H */
diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index 39ac630..f9f2cae 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -631,8 +631,9 @@ el0_svc_naked:					// compat entry point
 	enable_irq
 
 	get_thread_info tsk
-	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall tracing
-	tbnz	x16, #TIF_SYSCALL_TRACE, __sys_trace // are we tracing syscalls?
+	ldr	x16, [tsk, #TI_FLAGS]		// check for syscall hooks
+	tst	x16, #_TIF_SYSCALL_WORK
+	b.ne	__sys_trace
 	adr	lr, ret_fast_syscall		// return address
 	cmp     scno, sc_nr                     // check upper syscall limit
 	b.hs	ni_sys
-- 
1.7.9.5

[PATCH v6 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

As done in arm, this change makes it easy to confirm we invoke syscall
related hooks, including syscall tracepoint, audit and seccomp which would
be implemented later, in correct order. That is, undoing operations in the
opposite order on exit that they were done on entry.

Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/entry.S  |   10 ++++-----
 arch/arm64/kernel/ptrace.c |   50 +++++++++++++++++++++++++-------------------
 2 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index f9f2cae..00d6eb9 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -649,9 +649,8 @@ ENDPROC(el0_svc)
 	 * switches, and waiting for our parent to respond.
 	 */
 __sys_trace:
-	mov	x1, sp
-	mov	w0, #0				// trace entry
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_enter
 	adr	lr, __sys_trace_return		// return address
 	uxtw	scno, w0			// syscall number (possibly new)
 	mov	x1, sp				// pointer to regs
@@ -666,9 +665,8 @@ __sys_trace:
 
 __sys_trace_return:
 	str	x0, [sp]			// save returned x0
-	mov	x1, sp
-	mov	w0, #1				// trace exit
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_exit
 	b	ret_to_user
 
 /*
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..6d666dc 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request,
 	return ptrace_request(child, request, addr, data);
 }
 
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
+enum ptrace_syscall_dir {
+	PTRACE_SYSCALL_ENTER = 0,
+	PTRACE_SYSCALL_EXIT,
+};
+
+static void tracehook_report_syscall(struct pt_regs *regs,
+				     enum ptrace_syscall_dir dir)
 {
+	int regno;
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
-
-	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
-		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
-	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
-		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
-	}
+	/*
+	 * A scratch register (ip(r12) on AArch32, x7 on AArch64) is
+	 * used to denote syscall entry/exit:
+	 */
+	regno = (is_compat_task() ? 12 : 7);
+	saved_reg = regs->regs[regno];
+	regs->regs[regno] = dir;
 
-	if (dir)
+	if (dir == PTRACE_SYSCALL_EXIT)
 		tracehook_report_syscall_exit(regs, 0);
 	else if (tracehook_report_syscall_entry(regs))
 		regs->syscallno = ~0UL;
 
-	if (is_compat_task())
-		regs->regs[12] = saved_reg;
-	else
-		regs->regs[7] = saved_reg;
+	regs->regs[regno] = saved_reg;
+}
+
+asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
 
 	return regs->syscallno;
 }
+
+asmlinkage void syscall_trace_exit(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
+}
-- 
1.7.9.5

[PATCH v6 2/4] arm64: split syscall_trace() into separate functions for enter/exit

[AKASHI Takahiro]

As done in arm, this change makes it easy to confirm we invoke syscall
related hooks, including syscall tracepoint, audit and seccomp which would
be implemented later, in correct order. That is, undoing operations in the
opposite order on exit that they were done on entry.

Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/entry.S  |   10 ++++-----
 arch/arm64/kernel/ptrace.c |   50 +++++++++++++++++++++++++-------------------
 2 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/arch/arm64/kernel/entry.S b/arch/arm64/kernel/entry.S
index f9f2cae..00d6eb9 100644
--- a/arch/arm64/kernel/entry.S
+++ b/arch/arm64/kernel/entry.S
@@ -649,9 +649,8 @@ ENDPROC(el0_svc)
 	 * switches, and waiting for our parent to respond.
 	 */
 __sys_trace:
-	mov	x1, sp
-	mov	w0, #0				// trace entry
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_enter
 	adr	lr, __sys_trace_return		// return address
 	uxtw	scno, w0			// syscall number (possibly new)
 	mov	x1, sp				// pointer to regs
@@ -666,9 +665,8 @@ __sys_trace:
 
 __sys_trace_return:
 	str	x0, [sp]			// save returned x0
-	mov	x1, sp
-	mov	w0, #1				// trace exit
-	bl	syscall_trace
+	mov	x0, sp
+	bl	syscall_trace_exit
 	b	ret_to_user
 
 /*
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6a8928b..6d666dc 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1058,35 +1058,43 @@ long arch_ptrace(struct task_struct *child, long request,
 	return ptrace_request(child, request, addr, data);
 }
 
-asmlinkage int syscall_trace(int dir, struct pt_regs *regs)
+enum ptrace_syscall_dir {
+	PTRACE_SYSCALL_ENTER = 0,
+	PTRACE_SYSCALL_EXIT,
+};
+
+static void tracehook_report_syscall(struct pt_regs *regs,
+				     enum ptrace_syscall_dir dir)
 {
+	int regno;
 	unsigned long saved_reg;
 
-	if (!test_thread_flag(TIF_SYSCALL_TRACE))
-		return regs->syscallno;
-
-	if (is_compat_task()) {
-		/* AArch32 uses ip (r12) for scratch */
-		saved_reg = regs->regs[12];
-		regs->regs[12] = dir;
-	} else {
-		/*
-		 * Save X7. X7 is used to denote syscall entry/exit:
-		 *   X7 = 0 -> entry, = 1 -> exit
-		 */
-		saved_reg = regs->regs[7];
-		regs->regs[7] = dir;
-	}
+	/*
+	 * A scratch register (ip(r12) on AArch32, x7 on AArch64) is
+	 * used to denote syscall entry/exit:
+	 */
+	regno = (is_compat_task() ? 12 : 7);
+	saved_reg = regs->regs[regno];
+	regs->regs[regno] = dir;
 
-	if (dir)
+	if (dir == PTRACE_SYSCALL_EXIT)
 		tracehook_report_syscall_exit(regs, 0);
 	else if (tracehook_report_syscall_entry(regs))
 		regs->syscallno = ~0UL;
 
-	if (is_compat_task())
-		regs->regs[12] = saved_reg;
-	else
-		regs->regs[7] = saved_reg;
+	regs->regs[regno] = saved_reg;
+}
+
+asmlinkage int syscall_trace_enter(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
 
 	return regs->syscallno;
 }
+
+asmlinkage void syscall_trace_exit(struct pt_regs *regs)
+{
+	if (test_thread_flag(TIF_SYSCALL_TRACE))
+		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
+}
-- 
1.7.9.5

[PATCH v6 3/4] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Acked-by: Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index c7ba261..a429b59 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -135,6 +135,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	(!compat_user_mode(regs)) ? ((regs)->sp) : ((regs)->compat_sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v6 3/4] arm64: Add regs_return_value() in syscall.h

[AKASHI Takahiro]

This macro, regs_return_value, is used mainly for audit to record system
call's results, but may also be used in test_kprobes.c.

Acked-by: Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/ptrace.h |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/arm64/include/asm/ptrace.h b/arch/arm64/include/asm/ptrace.h
index c7ba261..a429b59 100644
--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -135,6 +135,11 @@ struct pt_regs {
 #define user_stack_pointer(regs) \
 	(!compat_user_mode(regs)) ? ((regs)->sp) : ((regs)->compat_sp)
 
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+	return regs->regs[0];
+}
+
 /*
  * Are the current registers suitable for user mode? (used to maintain
  * security in signal handlers)
-- 
1.7.9.5

[PATCH v6 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[AKASHI Takahiro]

Some kernel files may include both linux/compat.h and asm/compat.h directly
or indirectly. Since both header files contain is_compat_task() under
!CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
(do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
implemented).

So this patch proactively
1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
   but asm/compat.h is still necessary in ptrace.c and process.c because
   they use is_compat_thread().

Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/compat.h   |    5 -----
 arch/arm64/kernel/hw_breakpoint.c |    2 +-
 arch/arm64/kernel/process.c       |    1 +
 arch/arm64/kernel/ptrace.c        |    1 +
 arch/arm64/kernel/signal.c        |    2 +-
 5 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h
index e71f81f..253e33b 100644
--- a/arch/arm64/include/asm/compat.h
+++ b/arch/arm64/include/asm/compat.h
@@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread)
 
 #else /* !CONFIG_COMPAT */
 
-static inline int is_compat_task(void)
-{
-	return 0;
-}
-
 static inline int is_compat_thread(struct thread_info *thread)
 {
 	return 0;
diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
index bee7897..df1cf15 100644
--- a/arch/arm64/kernel/hw_breakpoint.c
+++ b/arch/arm64/kernel/hw_breakpoint.c
@@ -20,6 +20,7 @@
 
 #define pr_fmt(fmt) "hw-breakpoint: " fmt
 
+#include <linux/compat.h>
 #include <linux/cpu_pm.h>
 #include <linux/errno.h>
 #include <linux/hw_breakpoint.h>
@@ -27,7 +28,6 @@
 #include <linux/ptrace.h>
 #include <linux/smp.h>
 
-#include <asm/compat.h>
 #include <asm/current.h>
 #include <asm/debug-monitors.h>
 #include <asm/hw_breakpoint.h>
diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
index 6391485..ccc2a3e 100644
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -20,6 +20,7 @@
 
 #include <stdarg.h>
 
+#include <linux/compat.h>
 #include <linux/export.h>
 #include <linux/sched.h>
 #include <linux/kernel.h>
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6d666dc..4b58e81 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/compat.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 890a591..4a09989 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -17,6 +17,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/compat.h>
 #include <linux/errno.h>
 #include <linux/signal.h>
 #include <linux/personality.h>
@@ -25,7 +26,6 @@
 #include <linux/tracehook.h>
 #include <linux/ratelimit.h>
 
-#include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
-- 
1.7.9.5

[PATCH v6 4/4] arm64: is_compat_task is defined both in asm/compat.h and linux/compat.h

[AKASHI Takahiro]

Some kernel files may include both linux/compat.h and asm/compat.h directly
or indirectly. Since both header files contain is_compat_task() under
!CONFIG_COMPAT, compiling them with !CONFIG_COMPAT will eventually fail.
Such files include kernel/auditsc.c, kernel/seccomp.c and init/do_mountfs.c
(do_mountfs.c may read asm/compat.h via asm/ftrace.h once ftrace is
implemented).

So this patch proactively
1) removes is_compat_task() under !CONFIG_COMPAT from asm/compat.h
2) replaces asm/compat.h to linux/compat.h in kernel/*.c,
   but asm/compat.h is still necessary in ptrace.c and process.c because
   they use is_compat_thread().

Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/include/asm/compat.h   |    5 -----
 arch/arm64/kernel/hw_breakpoint.c |    2 +-
 arch/arm64/kernel/process.c       |    1 +
 arch/arm64/kernel/ptrace.c        |    1 +
 arch/arm64/kernel/signal.c        |    2 +-
 5 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h
index e71f81f..253e33b 100644
--- a/arch/arm64/include/asm/compat.h
+++ b/arch/arm64/include/asm/compat.h
@@ -305,11 +305,6 @@ static inline int is_compat_thread(struct thread_info *thread)
 
 #else /* !CONFIG_COMPAT */
 
-static inline int is_compat_task(void)
-{
-	return 0;
-}
-
 static inline int is_compat_thread(struct thread_info *thread)
 {
 	return 0;
diff --git a/arch/arm64/kernel/hw_breakpoint.c b/arch/arm64/kernel/hw_breakpoint.c
index bee7897..df1cf15 100644
--- a/arch/arm64/kernel/hw_breakpoint.c
+++ b/arch/arm64/kernel/hw_breakpoint.c
@@ -20,6 +20,7 @@
 
 #define pr_fmt(fmt) "hw-breakpoint: " fmt
 
+#include <linux/compat.h>
 #include <linux/cpu_pm.h>
 #include <linux/errno.h>
 #include <linux/hw_breakpoint.h>
@@ -27,7 +28,6 @@
 #include <linux/ptrace.h>
 #include <linux/smp.h>
 
-#include <asm/compat.h>
 #include <asm/current.h>
 #include <asm/debug-monitors.h>
 #include <asm/hw_breakpoint.h>
diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
index 6391485..ccc2a3e 100644
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -20,6 +20,7 @@
 
 #include <stdarg.h>
 
+#include <linux/compat.h>
 #include <linux/export.h>
 #include <linux/sched.h>
 #include <linux/kernel.h>
diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 6d666dc..4b58e81 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/compat.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
 #include <linux/mm.h>
diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c
index 890a591..4a09989 100644
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -17,6 +17,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/compat.h>
 #include <linux/errno.h>
 #include <linux/signal.h>
 #include <linux/personality.h>
@@ -25,7 +26,6 @@
 #include <linux/tracehook.h>
 #include <linux/ratelimit.h>
 
-#include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/elf.h>
 #include <asm/cacheflush.h>
-- 
1.7.9.5

[PATCH v9 0/2] arm64: Add audit support

[AKASHI Takahiro]

(This patchset was already acked by the maintainer, but now re-submitted
since it needs to be modified due to rebase to 3.15. See below)

(Please apply this patch after my ftrace patch to resolve some conflict
on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "audit: generic compat system call audit support" patch
* "arm64: __NR_* definitions for compat syscalls" patch from Catalin
* "arm64: make a single hook to syscall_trace() for all syscall features" patch
* "arm64: split syscall_trace() into separate functions for enter/exit" patch
* "arm64: Add regs_return_value() in syscall.h" patch
* "arm64: is_compat_task is defined both in asm/compat.h and 
   linux/compat.h" patch
* userspace audit tool (v2.3.6)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v8 -> v9:
* rebased on 3.15-rc, especially due to the change of syscall_get_arch()
  interface [1,2/2]

Changes v7 -> v8:
* aligned with the change in "audit: generic compat system call audit
  support" v5 [1/2]
* aligned with the change in "arm64: split syscall_trace() into separate
  functions for enter/exit" v5 [2/2]

Changes v6 -> v7:
* changed an include file in syscall.h from <linux/audit.h> to
  <uapi/linux/audit.h> [1/2]
* aligned with the patch, "arm64: split syscall_trace() into separate
  functions for enter/exit" [2/2]

Changes v5 -> v6:
* removed and put "arm64: Add regs_return_value() in syscall.h" patch into
  a separate set
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v3 [1/2]

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

AKASHI Takahiro (2):
  arm64: Add audit support
  arm64: audit: Add audit hook in syscall_trace_enter/exit()

 arch/arm64/Kconfig               |    2 ++
 arch/arm64/include/asm/syscall.h |   14 ++++++++++++++
 arch/arm64/kernel/ptrace.c       |    7 +++++++
 include/uapi/linux/audit.h       |    1 +
 4 files changed, 24 insertions(+)

-- 
1.7.9.5

[PATCH v9 0/2] arm64: Add audit support

[AKASHI Takahiro]

(This patchset was already acked by the maintainer, but now re-submitted
since it needs to be modified due to rebase to 3.15. See below)

(Please apply this patch after my ftrace patch to resolve some conflict
on arm64/kernel/ptrace.c, functionally it doesn't depend on ftrace though)

This patchset adds system call audit support on arm64.
Both 32-bit (AUDIT_ARCH_ARM) and 64-bit tasks (AUDIT_ARCH_AARCH64)
are supported. Since arm64 has the exact same set of system calls
on LE and BE, we don't care about endianness (or more specifically
__AUDIT_ARCH_64BIT bit in AUDIT_ARCH_*).

There are some prerequisites for this patch to work correctly:
* "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch
* "audit: generic compat system call audit support" patch
* "arm64: __NR_* definitions for compat syscalls" patch from Catalin
* "arm64: make a single hook to syscall_trace() for all syscall features" patch
* "arm64: split syscall_trace() into separate functions for enter/exit" patch
* "arm64: Add regs_return_value() in syscall.h" patch
* "arm64: is_compat_task is defined both in asm/compat.h and 
   linux/compat.h" patch
* userspace audit tool (v2.3.6)

Please review them as well for better understandings.

This code was tested on both 32-bit and 64-bit LE userland 
in the following two ways:
1) basic operations with auditctl/autrace
  # auditctl -a exit,always -S openat -F path=/etc/inittab
  # auditctl -a exit,always -F dir=/tmp -F perm=rw
  # auditctl -a task,always
  # autrace /bin/ls
    by comparing output from autrace with one from strace

2) audit-test-code (+ my workarounds for arm/arm64)
  by running "audit-tool", "filter" and "syscalls" test categories.

Changes v8 -> v9:
* rebased on 3.15-rc, especially due to the change of syscall_get_arch()
  interface [1,2/2]

Changes v7 -> v8:
* aligned with the change in "audit: generic compat system call audit
  support" v5 [1/2]
* aligned with the change in "arm64: split syscall_trace() into separate
  functions for enter/exit" v5 [2/2]

Changes v6 -> v7:
* changed an include file in syscall.h from <linux/audit.h> to
  <uapi/linux/audit.h> [1/2]
* aligned with the patch, "arm64: split syscall_trace() into separate
  functions for enter/exit" [2/2]

Changes v5 -> v6:
* removed and put "arm64: Add regs_return_value() in syscall.h" patch into
  a separate set
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v3 [1/2]

Changes v4 -> v5:
* rebased to 3.14-rcX
* added a guard against TIF_SYSCALL_AUDIT [3/3]
* aligned with the change in "arm64: make a single hook to syscall_trace()
  for all syscall features" v2 [3/3]

Changes v3 -> v4:
* Modified to sync with the patch, "make a single hook to syscall_trace()
  for all syscall features"
* aligned with "audit: Add CONFIG_HAVE_ARCH_AUDITSYSCALL" patch

Changes v2 -> v3:
* Remove asm/audit.h.
  See "generic compat syscall audit support" patch v4
* Remove endianness dependency, ie. AUDIT_ARCH_ARMEB/AARCH64EB.
* Remove kernel/syscalls/Makefile which was used to create unistd32.h.
  See Catalin's "Add __NR_* definitions for compat syscalls" patch

Changes v1 -> v2:
* Modified to utilize "generic compat system call audit" [3/6, 4/6, 5/6]
  Please note that a required header, unistd_32.h, is automatically
  generated from unistd32.h.
* Refer to regs->orig_x0 instead of regs->x0 as the first argument of
  system call in audit_syscall_entry() [6/6]
* Include "Add regs_return_value() in syscall.h" patch [2/6],
  which was not intentionally included in v1 because it could be added
  by "kprobes support".

AKASHI Takahiro (2):
  arm64: Add audit support
  arm64: audit: Add audit hook in syscall_trace_enter/exit()

 arch/arm64/Kconfig               |    2 ++
 arch/arm64/include/asm/syscall.h |   14 ++++++++++++++
 arch/arm64/kernel/ptrace.c       |    7 +++++++
 include/uapi/linux/audit.h       |    1 +
 4 files changed, 24 insertions(+)

-- 
1.7.9.5

[PATCH v9 1/2] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |    2 ++
 arch/arm64/include/asm/syscall.h |   14 ++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 0e9b8ce..0d3a003 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -9,6 +9,7 @@ config ARM64
 	select ARM_AMBA
 	select ARM_ARCH_TIMER
 	select ARM_GIC
+	select AUDIT_ARCH_COMPAT_GENERIC
 	select BUILDTIME_EXTABLE_SORT
 	select CLONE_BACKWARDS
 	select COMMON_CLK
@@ -27,6 +28,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_TRACEHOOK
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 383771e..709a574 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,6 +16,8 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <uapi/linux/audit.h>
+#include <linux/compat.h>
 #include <linux/err.h>
 
 extern const void *sys_call_table[];
@@ -105,4 +107,16 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(void)
+{
+	if (is_compat_task())
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 11917f7..e7df2e3 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -334,6 +334,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v9 1/2] arm64: Add audit support

[AKASHI Takahiro]

On AArch64, audit is supported through generic lib/audit.c and
compat_audit.c, and so this patch adds arch specific definitions required.

Acked-by Will Deacon <will.deacon@arm.com>
Acked-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/Kconfig               |    2 ++
 arch/arm64/include/asm/syscall.h |   14 ++++++++++++++
 include/uapi/linux/audit.h       |    1 +
 3 files changed, 17 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 0e9b8ce..0d3a003 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -9,6 +9,7 @@ config ARM64
 	select ARM_AMBA
 	select ARM_ARCH_TIMER
 	select ARM_GIC
+	select AUDIT_ARCH_COMPAT_GENERIC
 	select BUILDTIME_EXTABLE_SORT
 	select CLONE_BACKWARDS
 	select COMMON_CLK
@@ -27,6 +28,7 @@ config ARM64
 	select GENERIC_STRNLEN_USER
 	select GENERIC_TIME_VSYSCALL
 	select HARDIRQS_SW_RESEND
+	select HAVE_ARCH_AUDITSYSCALL
 	select HAVE_ARCH_JUMP_LABEL
 	select HAVE_ARCH_KGDB
 	select HAVE_ARCH_TRACEHOOK
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 383771e..709a574 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -16,6 +16,8 @@
 #ifndef __ASM_SYSCALL_H
 #define __ASM_SYSCALL_H
 
+#include <uapi/linux/audit.h>
+#include <linux/compat.h>
 #include <linux/err.h>
 
 extern const void *sys_call_table[];
@@ -105,4 +107,16 @@ static inline void syscall_set_arguments(struct task_struct *task,
 	memcpy(&regs->regs[i], args, n * sizeof(args[0]));
 }
 
+/*
+ * We don't care about endianness (__AUDIT_ARCH_LE bit) here because
+ * AArch64 has the same system calls both on little- and big- endian.
+ */
+static inline int syscall_get_arch(void)
+{
+	if (is_compat_task())
+		return AUDIT_ARCH_ARM;
+
+	return AUDIT_ARCH_AARCH64;
+}
+
 #endif	/* __ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 11917f7..e7df2e3 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -334,6 +334,7 @@ enum {
 /* distinguish syscall tables */
 #define __AUDIT_ARCH_64BIT 0x80000000
 #define __AUDIT_ARCH_LE	   0x40000000
+#define AUDIT_ARCH_AARCH64	(EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ALPHA	(EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARM		(EM_ARM|__AUDIT_ARCH_LE)
 #define AUDIT_ARCH_ARMEB	(EM_ARM)
-- 
1.7.9.5

[PATCH v9 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by Will Deacon <will.deacon@arm.com>

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 0bf1955..0568dc9 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/compat.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
@@ -39,6 +40,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1097,11 +1099,16 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_enter(regs, regs->syscallno);
 
+	audit_syscall_entry(syscall_get_arch(), regs->syscallno,
+		regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]);
+
 	return regs->syscallno;
 }
 
 asmlinkage void syscall_trace_exit(struct pt_regs *regs)
 {
+	audit_syscall_exit(regs);
+
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_exit(regs, regs_return_value(regs));
 
-- 
1.7.9.5

[PATCH v9 2/2] arm64: audit: Add audit hook in syscall_trace_enter/exit()

[AKASHI Takahiro]

This patch adds auditing functions on entry to or exit from
every system call invocation.

Acked-by: Richard Guy Briggs <rgb@redhat.com>
Acked-by Will Deacon <will.deacon@arm.com>

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
---
 arch/arm64/kernel/ptrace.c |    7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
index 0bf1955..0568dc9 100644
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -19,6 +19,7 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
+#include <linux/audit.h>
 #include <linux/compat.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
@@ -39,6 +40,7 @@
 #include <asm/compat.h>
 #include <asm/debug-monitors.h>
 #include <asm/pgtable.h>
+#include <asm/syscall.h>
 #include <asm/traps.h>
 #include <asm/system_misc.h>
 
@@ -1097,11 +1099,16 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_enter(regs, regs->syscallno);
 
+	audit_syscall_entry(syscall_get_arch(), regs->syscallno,
+		regs->orig_x0, regs->regs[1], regs->regs[2], regs->regs[3]);
+
 	return regs->syscallno;
 }
 
 asmlinkage void syscall_trace_exit(struct pt_regs *regs)
 {
+	audit_syscall_exit(regs);
+
 	if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
 		trace_sys_exit(regs, regs_return_value(regs));
 
-- 
1.7.9.5

Re: [PATCH v6 0/4] arm64: prerequisites for audit and ftrace

[Catalin Marinas]

On Wed, Apr 30, 2014 at 10:51:28AM +0100, AKASHI Takahiro wrote:
> AKASHI Takahiro (4):
>   arm64: make a single hook to syscall_trace() for all syscall features
>   arm64: split syscall_trace() into separate functions for enter/exit
>   arm64: Add regs_return_value() in syscall.h
>   arm64: is_compat_task is defined both in asm/compat.h and
>     linux/compat.h

Patches picked by Will and applied to the arm64 for-next/core branch
(should appear in -next at some point).

Thanks.

-- 
Catalin

Re: [PATCH v6 0/4] arm64: prerequisites for audit and ftrace

[Catalin Marinas]

On Wed, Apr 30, 2014 at 10:51:28AM +0100, AKASHI Takahiro wrote:
> AKASHI Takahiro (4):
>   arm64: make a single hook to syscall_trace() for all syscall features
>   arm64: split syscall_trace() into separate functions for enter/exit
>   arm64: Add regs_return_value() in syscall.h
>   arm64: is_compat_task is defined both in asm/compat.h and
>     linux/compat.h

Patches picked by Will and applied to the arm64 for-next/core branch
(should appear in -next at some point).

Thanks.

-- 
Catalin

[PATCH v6 0/4] arm64: prerequisites for audit and ftrace

[Catalin Marinas]

On Wed, Apr 30, 2014 at 10:51:28AM +0100, AKASHI Takahiro wrote:
> AKASHI Takahiro (4):
>   arm64: make a single hook to syscall_trace() for all syscall features
>   arm64: split syscall_trace() into separate functions for enter/exit
>   arm64: Add regs_return_value() in syscall.h
>   arm64: is_compat_task is defined both in asm/compat.h and
>     linux/compat.h

Patches picked by Will and applied to the arm64 for-next/core branch
(should appear in -next at some point).

Thanks.

-- 
Catalin