From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16A3DC433EF for ; Tue, 3 May 2022 09:02:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233167AbiECJGB (ORCPT ); Tue, 3 May 2022 05:06:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43580 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233148AbiECJF7 (ORCPT ); Tue, 3 May 2022 05:05:59 -0400 Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D45017067 for ; Tue, 3 May 2022 02:02:27 -0700 (PDT) Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 2437MqXF008610; Tue, 3 May 2022 09:02:26 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=pp1; bh=SYOqM8zFy4vxJdy6VODyZJAP5Ycwa6rAM28oBt1WXQ0=; b=lOFjXKMIhYEzGUGxt4qv1wIAltL3uJi2FTpn3aV6IBx1TVERPH3TjcjLJCrQ+rd/AzFl 1lOA0hkx12/mfGvAB1efYFdPk1wdQ0qDHnMphXbPO5Y2xrDCl35kusAHUizNML4eBEEa IZp2jF8+psDHRa+id4o42RbyqG8hhg3AZGwCo/lIibnHoGz9rWeo6gj74z4P4mTbIg2f i7rrlNN28YWDQO6bc/dxqI57xR+aMTM4IG2r8hXON4sLvaeTmecKApcjB1pZwFlhaOAT qPt4ZzDtz60WzlJnZ36RZPeW+xP8KuuLW6B61X3l1EGqy2YB9O8gz9lACDN2wTOjfYJR gw== Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3ftyxysdxa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 May 2022 09:02:25 +0000 Received: from m0098413.ppops.net (m0098413.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 2438vHoJ004852; Tue, 3 May 2022 09:02:25 GMT Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3ftyxysdwx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 May 2022 09:02:25 +0000 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 24392EG9024274; Tue, 3 May 2022 09:02:23 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma06ams.nl.ibm.com with ESMTP id 3frvcj3xdw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 May 2022 09:02:23 +0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 24392LxE49348928 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 3 May 2022 09:02:21 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 108025204F; Tue, 3 May 2022 09:02:21 +0000 (GMT) Received: from tuxmaker.boeblingen.de.ibm.com (unknown [9.152.85.9]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTPS id F3CBB5204E; Tue, 3 May 2022 09:02:20 +0000 (GMT) Received: by tuxmaker.boeblingen.de.ibm.com (Postfix, from userid 55390) id 9D1CEE0287; Tue, 3 May 2022 11:02:20 +0200 (CEST) From: Sven Schnelle To: Paul Moore , Eric Paris Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] audit: add call argument to socketcall auditing Date: Tue, 3 May 2022 11:02:11 +0200 Message-Id: <20220503090212.1322050-1-svens@linux.ibm.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: ve2kozsgKL8-EZO7LBlFvXw_wSCWiJmo X-Proofpoint-GUID: 4tej_tl14E4_6mmGWr4iad_Rmlqdk6Fb X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-03_02,2022-05-02_03,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 lowpriorityscore=0 adultscore=0 impostorscore=0 mlxscore=0 spamscore=0 suspectscore=0 bulkscore=0 phishscore=0 malwarescore=0 priorityscore=1501 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205030065 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org socketcall auditing misses the call argument: type=SOCKETCALL msg=audit: nargs=3 a0=10 a1=3 a2=c which renders socketcall auditing (almost) useless. Add the call argument so it is possible to decode the actual syscall from the audit log: type=SOCKETCALL msg=audit: call=1 nargs=3 a0=10 a1=3 a2=c Signed-off-by: Sven Schnelle --- include/linux/audit.h | 10 +++++----- kernel/audit.h | 1 + kernel/auditsc.c | 6 ++++-- net/compat.c | 2 +- net/socket.c | 2 +- 5 files changed, 12 insertions(+), 9 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index d06134ac6245..7d2256f999ab 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -405,7 +405,7 @@ static inline void audit_ptrace(struct task_struct *t) extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); extern void __audit_bprm(struct linux_binprm *bprm); -extern int __audit_socketcall(int nargs, unsigned long *args); +extern int __audit_socketcall(int call, int nargs, unsigned long *args); extern int __audit_sockaddr(int len, void *addr); extern void __audit_fd_pair(int fd1, int fd2); extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); @@ -445,14 +445,14 @@ static inline void audit_bprm(struct linux_binprm *bprm) if (unlikely(!audit_dummy_context())) __audit_bprm(bprm); } -static inline int audit_socketcall(int nargs, unsigned long *args) +static inline int audit_socketcall(int call, int nargs, unsigned long *args) { if (unlikely(!audit_dummy_context())) - return __audit_socketcall(nargs, args); + return __audit_socketcall(call, nargs, args); return 0; } -static inline int audit_socketcall_compat(int nargs, u32 *args) +static inline int audit_socketcall_compat(int call, int nargs, u32 *args) { unsigned long a[AUDITSC_ARGS]; int i; @@ -462,7 +462,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args) for (i = 0; i < nargs; i++) a[i] = (unsigned long)args[i]; - return __audit_socketcall(nargs, a); + return __audit_socketcall(call, nargs, a); } static inline int audit_sockaddr(int len, void *addr) diff --git a/kernel/audit.h b/kernel/audit.h index 58b66543b4d5..34e53b6f0ebb 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -153,6 +153,7 @@ struct audit_context { int type; union { struct { + int call; int nargs; long args[6]; } socketcall; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index ea2ee1181921..c856893041c9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1399,8 +1399,9 @@ static void show_special(struct audit_context *context, int *call_panic) switch (context->type) { case AUDIT_SOCKETCALL: { int nargs = context->socketcall.nargs; + int call = context->socketcall.call; - audit_log_format(ab, "nargs=%d", nargs); + audit_log_format(ab, "call=%d nargs=%d", call, nargs); for (i = 0; i < nargs; i++) audit_log_format(ab, " a%d=%lx", i, context->socketcall.args[i]); @@ -2684,13 +2685,14 @@ void __audit_bprm(struct linux_binprm *bprm) * @args: args array * */ -int __audit_socketcall(int nargs, unsigned long *args) +int __audit_socketcall(int call, int nargs, unsigned long *args) { struct audit_context *context = audit_context(); if (nargs <= 0 || nargs > AUDITSC_ARGS || !args) return -EINVAL; context->type = AUDIT_SOCKETCALL; + context->socketcall.call = call; context->socketcall.nargs = nargs; memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long)); return 0; diff --git a/net/compat.c b/net/compat.c index 210fc3b4d0d8..0df955019ecc 100644 --- a/net/compat.c +++ b/net/compat.c @@ -437,7 +437,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) if (copy_from_user(a, args, len)) return -EFAULT; - ret = audit_socketcall_compat(len / sizeof(a[0]), a); + ret = audit_socketcall_compat(call, len / sizeof(a[0]), a); if (ret) return ret; diff --git a/net/socket.c b/net/socket.c index 6887840682bb..ff71f28c96f7 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2921,7 +2921,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) if (copy_from_user(a, args, len)) return -EFAULT; - err = audit_socketcall(nargs[call] / sizeof(unsigned long), a); + err = audit_socketcall(call, nargs[call] / sizeof(unsigned long), a); if (err) return err; -- 2.32.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 92ECBC433EF for ; Tue, 3 May 2022 15:15:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-498-TIL3Uh46PLq9XSRLp86YGA-1; Tue, 03 May 2022 11:15:00 -0400 X-MC-Unique: TIL3Uh46PLq9XSRLp86YGA-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C7B1D3CA7FE6; Tue, 3 May 2022 12:32:49 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id B51E4111D78A; Tue, 3 May 2022 12:32:49 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 5F93F1947049; Tue, 3 May 2022 12:32:49 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CE9BA1947041 for ; Tue, 3 May 2022 09:02:28 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 9F2FC1538413; Tue, 3 May 2022 09:02:28 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast08.extmail.prod.ext.rdu2.redhat.com [10.11.55.24]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9A6F31538411 for ; Tue, 3 May 2022 09:02:28 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 81C3B38041D9 for ; Tue, 3 May 2022 09:02:28 +0000 (UTC) Received: from mx0a-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-515-70hgxMAxNTu4c3wp4PjFHw-1; Tue, 03 May 2022 05:02:26 -0400 X-MC-Unique: 70hgxMAxNTu4c3wp4PjFHw-1 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 2437MhbZ008136; Tue, 3 May 2022 09:02:26 GMT Received: from pps.reinject (localhost [127.0.0.1]) by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3ftyxysdx8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 May 2022 09:02:25 +0000 Received: from m0098413.ppops.net (m0098413.ppops.net [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 2438vHoI004852; Tue, 3 May 2022 09:02:25 GMT Received: from ppma06ams.nl.ibm.com (66.31.33a9.ip4.static.sl-reverse.com [169.51.49.102]) by mx0b-001b2d01.pphosted.com (PPS) with ESMTPS id 3ftyxysdwx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 May 2022 09:02:25 +0000 Received: from pps.filterd (ppma06ams.nl.ibm.com [127.0.0.1]) by ppma06ams.nl.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 24392EG9024274; Tue, 3 May 2022 09:02:23 GMT Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by ppma06ams.nl.ibm.com with ESMTP id 3frvcj3xdw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 May 2022 09:02:23 +0000 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 24392LxE49348928 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 3 May 2022 09:02:21 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 108025204F; Tue, 3 May 2022 09:02:21 +0000 (GMT) Received: from tuxmaker.boeblingen.de.ibm.com (unknown [9.152.85.9]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTPS id F3CBB5204E; Tue, 3 May 2022 09:02:20 +0000 (GMT) Received: by tuxmaker.boeblingen.de.ibm.com (Postfix, from userid 55390) id 9D1CEE0287; Tue, 3 May 2022 11:02:20 +0200 (CEST) From: Sven Schnelle To: Paul Moore , Eric Paris Subject: [PATCH 1/2] audit: add call argument to socketcall auditing Date: Tue, 3 May 2022 11:02:11 +0200 Message-Id: <20220503090212.1322050-1-svens@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: ve2kozsgKL8-EZO7LBlFvXw_wSCWiJmo X-Proofpoint-GUID: AFvYeONQ2eZd_-eUHEjFUQsPVSp7Qefl X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.858,Hydra:6.0.486,FMLib:17.11.64.514 definitions=2022-05-03_02,2022-05-02_03,2022-02-23_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 lowpriorityscore=0 adultscore=0 impostorscore=0 mlxscore=0 spamscore=0 suspectscore=0 bulkscore=0 phishscore=0 malwarescore=0 priorityscore=1501 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2205030065 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 X-Mailman-Approved-At: Tue, 03 May 2022 12:32:46 +0000 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit socketcall auditing misses the call argument: type=SOCKETCALL msg=audit: nargs=3 a0=10 a1=3 a2=c which renders socketcall auditing (almost) useless. Add the call argument so it is possible to decode the actual syscall from the audit log: type=SOCKETCALL msg=audit: call=1 nargs=3 a0=10 a1=3 a2=c Signed-off-by: Sven Schnelle --- include/linux/audit.h | 10 +++++----- kernel/audit.h | 1 + kernel/auditsc.c | 6 ++++-- net/compat.c | 2 +- net/socket.c | 2 +- 5 files changed, 12 insertions(+), 9 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index d06134ac6245..7d2256f999ab 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -405,7 +405,7 @@ static inline void audit_ptrace(struct task_struct *t) extern void __audit_ipc_obj(struct kern_ipc_perm *ipcp); extern void __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, umode_t mode); extern void __audit_bprm(struct linux_binprm *bprm); -extern int __audit_socketcall(int nargs, unsigned long *args); +extern int __audit_socketcall(int call, int nargs, unsigned long *args); extern int __audit_sockaddr(int len, void *addr); extern void __audit_fd_pair(int fd1, int fd2); extern void __audit_mq_open(int oflag, umode_t mode, struct mq_attr *attr); @@ -445,14 +445,14 @@ static inline void audit_bprm(struct linux_binprm *bprm) if (unlikely(!audit_dummy_context())) __audit_bprm(bprm); } -static inline int audit_socketcall(int nargs, unsigned long *args) +static inline int audit_socketcall(int call, int nargs, unsigned long *args) { if (unlikely(!audit_dummy_context())) - return __audit_socketcall(nargs, args); + return __audit_socketcall(call, nargs, args); return 0; } -static inline int audit_socketcall_compat(int nargs, u32 *args) +static inline int audit_socketcall_compat(int call, int nargs, u32 *args) { unsigned long a[AUDITSC_ARGS]; int i; @@ -462,7 +462,7 @@ static inline int audit_socketcall_compat(int nargs, u32 *args) for (i = 0; i < nargs; i++) a[i] = (unsigned long)args[i]; - return __audit_socketcall(nargs, a); + return __audit_socketcall(call, nargs, a); } static inline int audit_sockaddr(int len, void *addr) diff --git a/kernel/audit.h b/kernel/audit.h index 58b66543b4d5..34e53b6f0ebb 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -153,6 +153,7 @@ struct audit_context { int type; union { struct { + int call; int nargs; long args[6]; } socketcall; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index ea2ee1181921..c856893041c9 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1399,8 +1399,9 @@ static void show_special(struct audit_context *context, int *call_panic) switch (context->type) { case AUDIT_SOCKETCALL: { int nargs = context->socketcall.nargs; + int call = context->socketcall.call; - audit_log_format(ab, "nargs=%d", nargs); + audit_log_format(ab, "call=%d nargs=%d", call, nargs); for (i = 0; i < nargs; i++) audit_log_format(ab, " a%d=%lx", i, context->socketcall.args[i]); @@ -2684,13 +2685,14 @@ void __audit_bprm(struct linux_binprm *bprm) * @args: args array * */ -int __audit_socketcall(int nargs, unsigned long *args) +int __audit_socketcall(int call, int nargs, unsigned long *args) { struct audit_context *context = audit_context(); if (nargs <= 0 || nargs > AUDITSC_ARGS || !args) return -EINVAL; context->type = AUDIT_SOCKETCALL; + context->socketcall.call = call; context->socketcall.nargs = nargs; memcpy(context->socketcall.args, args, nargs * sizeof(unsigned long)); return 0; diff --git a/net/compat.c b/net/compat.c index 210fc3b4d0d8..0df955019ecc 100644 --- a/net/compat.c +++ b/net/compat.c @@ -437,7 +437,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) if (copy_from_user(a, args, len)) return -EFAULT; - ret = audit_socketcall_compat(len / sizeof(a[0]), a); + ret = audit_socketcall_compat(call, len / sizeof(a[0]), a); if (ret) return ret; diff --git a/net/socket.c b/net/socket.c index 6887840682bb..ff71f28c96f7 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2921,7 +2921,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) if (copy_from_user(a, args, len)) return -EFAULT; - err = audit_socketcall(nargs[call] / sizeof(unsigned long), a); + err = audit_socketcall(call, nargs[call] / sizeof(unsigned long), a); if (err) return err; -- 2.32.0 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit