From: Paul Moore <paul@paul-moore.com>
To: "Thomas Weißschuh" <linux@weissschuh.net>
Cc: linux-audit@redhat.com, bpf@vger.kernel.org
Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters
Date: Mon, 28 Jun 2021 12:59:53 -0400 [thread overview]
Message-ID: <CAHC9VhSTb75NEPZRm+Tkngv=SW8ntmSpVCrXMHHHWc2qYNZqCA@mail.gmail.com> (raw)
In-Reply-To: <0b926f59-464d-4b67-8f32-329cf9695cf7@t-8ch.de>
On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote:
>
> Hi everyone,
>
> there does not seem to be a way to access the AUDIT_ARCH_ constant that matches
> the currently visible syscall numbers (__NR_...) from the kernel uapi headers.
Looking at Linus' current tree I see the AUDIT_ARCH_* defines in
include/uapi/linux/audit.h; looking on my system right now I see the
defines in /usr/include/linux/audit.h. What kernel repository and
distribution are you using?
> Questions:
>
> Is it really necessary to validate the arch value when syscall numbers are
> already target-specific?
> (If not, should this be added to the docs?)
Checking the arch/ABI value is important so that you can ensure that
you are using the syscall number in the proper context. For example,
look at the access(2) syscall: it is undefined on some ABIs and can
take either a value of 20, 21, or 33 depending on the arch/ABI.
Unfortunately this is rather common.
Checking the arch/ABI value is also handy if you want to quickly
disallow certain ABIs on a system that supports multiple ABI, e.g.
disabling 32-bit x86 on a 64-bit x86_64 system.
> Would it make sense to expose the audit arch matching the syscall numbers in
> the uapi headers?
Yes, which is why the existing headers do so ;) If you don't see the
header files I mentioned above, it may be worth checking your kernel
source repository and your distribution's installed kernel header
files.
--
paul moore
www.paul-moore.com
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul@paul-moore.com>
To: "Thomas Weißschuh" <linux@weissschuh.net>
Cc: bpf@vger.kernel.org, linux-audit@redhat.com
Subject: Re: AUDIT_ARCH_ and __NR_syscall constants for seccomp filters
Date: Mon, 28 Jun 2021 12:59:53 -0400 [thread overview]
Message-ID: <CAHC9VhSTb75NEPZRm+Tkngv=SW8ntmSpVCrXMHHHWc2qYNZqCA@mail.gmail.com> (raw)
In-Reply-To: <0b926f59-464d-4b67-8f32-329cf9695cf7@t-8ch.de>
On Mon, Jun 28, 2021 at 9:25 AM Thomas Weißschuh <linux@weissschuh.net> wrote:
>
> Hi everyone,
>
> there does not seem to be a way to access the AUDIT_ARCH_ constant that matches
> the currently visible syscall numbers (__NR_...) from the kernel uapi headers.
Looking at Linus' current tree I see the AUDIT_ARCH_* defines in
include/uapi/linux/audit.h; looking on my system right now I see the
defines in /usr/include/linux/audit.h. What kernel repository and
distribution are you using?
> Questions:
>
> Is it really necessary to validate the arch value when syscall numbers are
> already target-specific?
> (If not, should this be added to the docs?)
Checking the arch/ABI value is important so that you can ensure that
you are using the syscall number in the proper context. For example,
look at the access(2) syscall: it is undefined on some ABIs and can
take either a value of 20, 21, or 33 depending on the arch/ABI.
Unfortunately this is rather common.
Checking the arch/ABI value is also handy if you want to quickly
disallow certain ABIs on a system that supports multiple ABI, e.g.
disabling 32-bit x86 on a 64-bit x86_64 system.
> Would it make sense to expose the audit arch matching the syscall numbers in
> the uapi headers?
Yes, which is why the existing headers do so ;) If you don't see the
header files I mentioned above, it may be worth checking your kernel
source repository and your distribution's installed kernel header
files.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-06-28 17:00 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 7:31 AUDIT_ARCH_ and __NR_syscall constants for seccomp filters Thomas Weißschuh
2021-06-28 7:31 ` Thomas Weißschuh
2021-06-28 16:59 ` Paul Moore [this message]
2021-06-28 16:59 ` Paul Moore
2021-06-28 17:13 ` Thomas Weißschuh
2021-06-28 17:13 ` Thomas Weißschuh
2021-06-28 17:34 ` Paul Moore
2021-06-28 17:34 ` Paul Moore
2021-06-28 17:58 ` Thomas Weißschuh
2021-06-28 17:58 ` Thomas Weißschuh
2021-06-28 22:43 ` Paul Moore
2021-06-28 22:43 ` Paul Moore
2021-06-29 10:40 ` Thomas Weißschuh
2021-06-29 10:40 ` Thomas Weißschuh
2021-06-29 23:41 ` Paul Moore
2021-06-29 23:41 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhSTb75NEPZRm+Tkngv=SW8ntmSpVCrXMHHHWc2qYNZqCA@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=bpf@vger.kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux@weissschuh.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.