[PATCH] auparse.c events_are_equal() and event matching
by Guillaume Destuynder
Hi,
on our RHEL6 machines, with kernel 2.6.32, we noticed that sometimes an
audit message comes in but libaudit does not see it as the same event.
The milliseconds field of the timestamp differs (but the timestamp
seconds and event serial are identical).
The check to determine if 2 messages are part of the same event is done
by events_are_equal() in auparse/auparse.c (audit userspace library).
There is a comment that indicate that this is voluntary - however, I
could not find why. I suspect this is for searches over long periods of
time when the serial may roll over.
In case this was simply overlooked I'm attaching a patch that fixes it
for us. It keeps the timestamp check for the seconds, which works fine
and would still work with serial rolling over.
Again- its relatively rare in our logs that the timestamp's millisecond
field differs and we log very heavily - so it's not that easy to reproduce.
Thanks!
Guillaume
Index: trunk/auparse/auparse.c
===================================================================
--- trunk/auparse/auparse.c (revision 1063)
+++ trunk/auparse/auparse.c (working copy)
@@ -752,10 +752,10 @@
static int inline events_are_equal(au_event_t *e1, au_event_t *e2)
{
- // Check time & serial first since its most likely way
- // to spot 2 different events
- if (!(e1->serial == e2->serial && e1->milli == e2->milli &&
- e1->sec == e2->sec))
+ // Check serial and timestamp - but not milliseconds
+ // as, even if rare, these may not match for the same message due to
+ // kernel processing delays
+ if (!(e1->serial == e2->serial && e1->sec == e2->sec))
return 0;
// Hmm...same so far, check if both have a host, only a string
// compare can tell if they are the same. Otherwise, if only one
10 years
[PATCH V4] powerpc: add little endian flag to syscall_get_arch()
by Richard Guy Briggs
Since both ppc and ppc64 have LE variants which are now reported by uname, add
that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC64LE
variant.
Without this, perf trace and auditctl fail.
Mainline kernel reports ppc64le (per a058801) but there is no matching
AUDIT_ARCH_PPC64LE.
Since 32-bit PPC LE is not supported by audit, don't advertise it in
AUDIT_ARCH_PPC* variants.
See:
https://www.redhat.com/archives/linux-audit/2014-August/msg00082.html
https://www.redhat.com/archives/linux-audit/2014-December/msg00004.html
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
arch/powerpc/include/asm/syscall.h | 6 +++++-
include/uapi/linux/audit.h | 2 ++
2 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h
index 6fa2708..d1934e5 100644
--- a/arch/powerpc/include/asm/syscall.h
+++ b/arch/powerpc/include/asm/syscall.h
@@ -90,6 +90,10 @@ static inline void syscall_set_arguments(struct task_struct *task,
static inline int syscall_get_arch(void)
{
- return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
+ int arch = is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
+#ifdef __LITTLE_ENDIAN__
+ arch |= __AUDIT_ARCH_LE;
+#endif
+ return arch;
}
#endif /* _ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4d100c8..d82beec 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -364,7 +364,9 @@ enum {
#define AUDIT_ARCH_PARISC (EM_PARISC)
#define AUDIT_ARCH_PARISC64 (EM_PARISC|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_PPC (EM_PPC)
+/* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
#define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
+#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_S390 (EM_S390)
#define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SH (EM_SH)
--
1.7.1
10 years
[GIT PULL] Audit patches for 3.19
by Paul Moore
Hi Linus,
Two small patches from the audit next branch; only one of which has any real
significant code changes, the other is simply a MAINTAINERS update for audit.
The single code patch is pretty small and rather straightforward, it changes
the audit "version" number reported to userspace from an integer to a bitmap
which is used to indicate the functionality of the running kernel. This
really doesn't have much impact on the kernel, but it will make life easier
for the audit userspace folks. Thankfully we were still on a version number
which allowed us to do this without breaking userspace.
For what it is worth, as of a few minutes ago, the branch below applied
cleanly on top of your tree.
Thanks,
-Paul
---
The following changes since commit 799b601451b21ebe7af0e6e8f6e2ccd4683c5064:
audit: keep inode pinned (2014-11-11 14:20:22 -0500)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit upstream
for you to fetch changes up to 0f7e94ee40d06f7a04e039392dfee8244bd8a7e0:
Merge branch 'next' into upstream for v3.19 (2014-12-09 14:38:30 -0500)
----------------------------------------------------------------
Paul Moore (2):
audit: add Paul Moore to the MAINTAINERS entry
Merge branch 'next' into upstream for v3.19
Richard Guy Briggs (1):
audit: convert status version to a feature bitmap
MAINTAINERS | 5 +++--
include/uapi/linux/audit.h | 17 +++++++++++++----
kernel/audit.c | 2 +-
3 files changed, 17 insertions(+), 7 deletions(-)
10 years
[PATCH RFC] audit: move the tree pruning to a dedicated thread
by Imre Palik
From: "Palik, Imre" <imrep(a)amazon.de>
When file auditing is enabled, during a low memory situation, a memory
allocation with __GFP_FS can lead to pruning the inode cache. Which can,
in turn lead to audit_tree_freeing_mark() being called. This can call
audit_schedule_prune(), that tries to fork a pruning thread, and
waits until the thread is created. But forking needs memory, and the
memory allocations there are done with __GFP_FS.
So we are waiting merrily for some __GFP_FS memory allocations to complete,
while holding some filesystem locks. This can take a while ...
This patch creates a single thread for pruning the tree from
audit_tree_init(), and thus avoids the deadlock that the on-demand thread
creation can cause.
An alternative approach would be to move the thread creation outside of the
lock. This would assume that other layers of the filesystem code don't
hold any locks, and it would need some rewrite of the code to limit the
amount of threads possibly spawned.
Reported-by: Matt Wilson <msw(a)amazon.com>
Cc: Matt Wilson <msw(a)amazon.com>
Cc: Al Viro <viro(a)ZenIV.linux.org.uk>
Signed-off-by: Imre Palik <imrep(a)amazon.de>
---
kernel/audit_tree.c | 53 ++++++++++++++++++++++++++++++++++-----------------
1 file changed, 35 insertions(+), 18 deletions(-)
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 0caf1f8..cf6db88 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -37,6 +37,7 @@ struct audit_chunk {
static LIST_HEAD(tree_list);
static LIST_HEAD(prune_list);
+static struct task_struct *prune_thread;
/*
* One struct chunk is attached to each inode of interest.
@@ -806,30 +807,39 @@ int audit_tag_tree(char *old, char *new)
*/
static int prune_tree_thread(void *unused)
{
- mutex_lock(&audit_cmd_mutex);
- mutex_lock(&audit_filter_mutex);
+ for (;;) {
+ set_current_state(TASK_INTERRUPTIBLE);
+ if (list_empty(&prune_list))
+ schedule();
+ __set_current_state(TASK_RUNNING);
- while (!list_empty(&prune_list)) {
- struct audit_tree *victim;
+ mutex_lock(&audit_cmd_mutex);
+ mutex_lock(&audit_filter_mutex);
- victim = list_entry(prune_list.next, struct audit_tree, list);
- list_del_init(&victim->list);
+ while (!list_empty(&prune_list)) {
+ struct audit_tree *victim;
- mutex_unlock(&audit_filter_mutex);
+ victim = list_entry(prune_list.next,
+ struct audit_tree, list);
+ list_del_init(&victim->list);
- prune_one(victim);
+ mutex_unlock(&audit_filter_mutex);
- mutex_lock(&audit_filter_mutex);
- }
+ prune_one(victim);
- mutex_unlock(&audit_filter_mutex);
- mutex_unlock(&audit_cmd_mutex);
+ mutex_lock(&audit_filter_mutex);
+ }
+
+ mutex_unlock(&audit_filter_mutex);
+ mutex_unlock(&audit_cmd_mutex);
+ }
return 0;
}
static void audit_schedule_prune(void)
{
- kthread_run(prune_tree_thread, NULL, "audit_prune_tree");
+ BUG_ON(!prune_thread);
+ wake_up_process(prune_thread);
}
/*
@@ -896,9 +906,10 @@ static void evict_chunk(struct audit_chunk *chunk)
for (n = 0; n < chunk->count; n++)
list_del_init(&chunk->owners[n].list);
spin_unlock(&hash_lock);
+ mutex_unlock(&audit_filter_mutex);
if (need_prune)
audit_schedule_prune();
- mutex_unlock(&audit_filter_mutex);
+
}
static int audit_tree_handle_event(struct fsnotify_group *group,
@@ -938,10 +949,16 @@ static int __init audit_tree_init(void)
{
int i;
- audit_tree_group = fsnotify_alloc_group(&audit_tree_ops);
- if (IS_ERR(audit_tree_group))
- audit_panic("cannot initialize fsnotify group for rectree watches");
-
+ prune_thread = kthread_create(prune_tree_thread, NULL,
+ "audit_prune_tree");
+ if (IS_ERR(prune_thread)) {
+ audit_panic("cannot start thread audit_prune_tree");
+ } else {
+ wake_up_process(prune_thread);
+ audit_tree_group = fsnotify_alloc_group(&audit_tree_ops);
+ if (IS_ERR(audit_tree_group))
+ audit_panic("cannot initialize fsnotify group for rectree watches");
+ }
for (i = 0; i < HASH_SIZE; i++)
INIT_LIST_HEAD(&chunk_hash_heads[i]);
--
1.7.9.5
10 years
[PATCH V3] powerpc: add little endian flag to syscall_get_arch()
by Richard Guy Briggs
Since both ppc and ppc64 have LE variants which are now reported by uname, add
that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC*LE
variants.
Without this, perf trace and auditctl fail.
Mainline kernel reports ppc64le (per a058801) but there is no matching
AUDIT_ARCH_PPC64LE.
Since 32-bit PPC LE is not supported, throw a compiler error rather than return
a bogus architecture to audit.
See:
https://www.redhat.com/archives/linux-audit/2014-August/msg00082.html
https://www.redhat.com/archives/linux-audit/2014-December/msg00004.html
v2 -> v3:
Throw a compiler error on 32-bit LE.
v1 -> v2:
Added ";" at the end of the #ifdef-protected line so it actually compiles
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
arch/powerpc/include/asm/syscall.h | 7 +++++++
include/uapi/linux/audit.h | 1 +
2 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h
index 6fa2708..cf7fcab 100644
--- a/arch/powerpc/include/asm/syscall.h
+++ b/arch/powerpc/include/asm/syscall.h
@@ -90,6 +90,13 @@ static inline void syscall_set_arguments(struct task_struct *task,
static inline int syscall_get_arch(void)
{
+#ifdef __LITTLE_ENDIAN__
+ return AUDIT_ARCH_PPC64LE;
+#ifndef CONFIG_64BIT
+#error PPC 32-bit Little Endian architecture not supported.
+#endif /* CONFIG_64BIT */
+#else /* __LITTLE_ENDIAN__ */
return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
+#endif /* __LITTLE_ENDIAN__ */
}
#endif /* _ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4d100c8..fa2a6af 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -365,6 +365,7 @@ enum {
#define AUDIT_ARCH_PARISC64 (EM_PARISC|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_PPC (EM_PPC)
#define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
+#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_S390 (EM_S390)
#define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SH (EM_SH)
--
1.7.1
10 years
[PATCH V2] powerpc: add little endian flag to syscall_get_arch()
by Richard Guy Briggs
Since both ppc and ppc64 have LE variants which are now reported by uname, add
that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC*LE
variants.
Without this, perf trace and auditctl fail.
Mainline kernel reports ppc64le (per a058801) but there is no matching
AUDIT_ARCH_PPC64LE.
See:
https://www.redhat.com/archives/linux-audit/2014-August/msg00082.html
https://www.redhat.com/archives/linux-audit/2014-December/msg00004.html
v1 -> v2:
Added ";" at the end of the #ifdef-protected line so it actually compiles
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
arch/powerpc/include/asm/syscall.h | 6 +++++-
include/uapi/linux/audit.h | 2 ++
2 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h
index 6fa2708..d1934e5 100644
--- a/arch/powerpc/include/asm/syscall.h
+++ b/arch/powerpc/include/asm/syscall.h
@@ -90,6 +90,10 @@ static inline void syscall_set_arguments(struct task_struct *task,
static inline int syscall_get_arch(void)
{
- return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
+ int arch = is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
+#ifdef __LITTLE_ENDIAN__
+ arch |= __AUDIT_ARCH_LE;
+#endif
+ return arch;
}
#endif /* _ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4d100c8..fe29a99 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -364,7 +364,9 @@ enum {
#define AUDIT_ARCH_PARISC (EM_PARISC)
#define AUDIT_ARCH_PARISC64 (EM_PARISC|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_PPC (EM_PPC)
+#define AUDIT_ARCH_PPCLE (EM_PPC|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
+#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_S390 (EM_S390)
#define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SH (EM_SH)
--
1.7.1
10 years
Re: [PATCH] audit: add nspid and nsppid in audit_log_task_info
by Paul Moore
On Sunday, November 23, 2014 09:58:48 AM Eric Paris wrote:
> [forwarding to 2 people looking at audit now, do you mind resending to
> linux-audit(a)redhat.com and inluding them both?]
I'm also adding the linux-audit list to the CC line.
I know Richard has been working on namespaces/audit, I'd like to hear his
comments on this patch.
> On Sat, 2014-11-22 at 13:53 -0500, Mark Ellzey wrote:
> > If the current task being sent to audit_log_task_info() is not within
> > the root namespace, add two new fields "nspid=X nsppid=Y".
> >
> > This allows a user to map the real pid/ppid to a namespaced pid/ppid.
> > ---
> >
> > kernel/audit.c | 12 ++++++++++++
> > 1 file changed, 12 insertions(+)
> >
> > diff --git a/kernel/audit.c b/kernel/audit.c
> > index cebb11d..5439f66 100644
> > --- a/kernel/audit.c
> > +++ b/kernel/audit.c
> > @@ -1853,6 +1853,7 @@ void audit_log_task_info(struct audit_buffer
> > *ab, struct task_struct *tsk)
> >
> > char comm[sizeof(tsk->comm)];
> > struct mm_struct *mm = tsk->mm;
> > char *tty;
> >
> > + struct pid_namespace * pns;
> >
> > if (!ab)
> > return;
> >
> > @@ -1865,8 +1866,19 @@ void audit_log_task_info(struct audit_buffer
> > *ab, struct task_struct *tsk)
> >
> > tty = tsk->signal->tty->name;
> > else
> > tty = "(none)";
> >
> > +
> >
> > spin_unlock_irq(&tsk->sighand->siglock);
> >
> > + if ((pns = task_active_pid_ns(tsk)) != &init_pid_ns) {
> > + pid_t nsppid = 0;
> > + pid_t nspid = 0;
> > +
> > + nsppid = task_ppid_nr_ns(tsk, pns);
> > + nspid = task_pid_nr_ns(tsk, pns);
> > +
> > + audit_log_format(ab, " nsppid=%d nspid=%d", nsppid, nspid);
> > + }
> > +
> >
> > audit_log_format(ab,
> > " ppid=%d pid=%d auid=%u uid=%u gid=%u"
> > " euid=%u suid=%u fsuid=%u"
> >
> > --
> > 1.9.1
--
paul moore
security and virtualization @ redhat
10 years
[RFC PATCH] audit: correctly record file names with different path name types
by Paul Moore
There is a problem with the audit system when multiple audit records
are created for the same path, each with a different path name type.
The root cause of the problem is in __audit_inode() when an exact
match (both the path name and path name type) is not found for a
path name record; the existing code creates a new path name record,
but it never sets the path name in this record, leaving it NULL.
This patch corrects this problem by assigning the path name to these
newly created records.
There are many ways to reproduce this problem, but one of the
easiest is the following (assuming auditd is running):
# mkdir /root/tmp/test
# touch /root/tmp/test/567
# auditctl -a always,exit -F dir=/root/tmp/test
# touch /root/tmp/test/567
Afterwards, or while the commands above are running, check the audit
log and pay special attention to the PATH records. A faulty kernel
will display something like the following for the file creation:
type=SYSCALL msg=audit(1416957442.025:93): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416957442.025:93): cwd="/root/tmp"
type=PATH msg=audit(1416957442.025:93): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416957442.025:93): item=1 name=(null)
inode=393804 ... nametype=NORMAL
type=PATH msg=audit(1416957442.025:93): item=2 name=(null)
inode=393804 ... nametype=NORMAL
While a patched kernel will show the following:
type=SYSCALL msg=audit(1416955786.566:89): arch=c000003e syscall=2
success=yes exit=3 ... comm="touch" exe="/usr/bin/touch"
type=CWD msg=audit(1416955786.566:89): cwd="/root/tmp"
type=PATH msg=audit(1416955786.566:89): item=0 name="test/"
inode=401409 ... nametype=PARENT
type=PATH msg=audit(1416955786.566:89): item=1 name="test/567"
inode=393804 ... nametype=NORMAL
This issue was brought up by a number of people, but special credit
should go to hujianyang(a)huawei.com for reporting the problem along
with an explanation of the problem and a patch. While the original
patch did have some problems (see the archive link below), it did
demonstrate the problem and helped kickstart the fix presented here.
* https://lkml.org/lkml/2014/9/5/66
Cc: stable(a)vger.kernel.org
Reported-by: hujianyang <hujianyang(a)huawei.com>
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
kernel/auditsc.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 21eae3c..ff99c05 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1886,12 +1886,18 @@ void __audit_inode(struct filename *name, const struct dentry *dentry,
}
out_alloc:
- /* unable to find the name from a previous getname(). Allocate a new
- * anonymous entry.
- */
- n = audit_alloc_name(context, AUDIT_TYPE_NORMAL);
+ /* unable to find an entry with both a matching name and type */
+ n = audit_alloc_name(context, AUDIT_TYPE_UNKNOWN);
if (!n)
return;
+ if (name)
+ /* since name is not NULL we know there is already a matching
+ * name record, see audit_getname(), so there must be a type
+ * mismatch; reuse the string path since the original name
+ * record will keep the string valid until we free it in
+ * audit_free_names() */
+ n->name = name;
+
out:
if (parent) {
n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL;
10 years
[PATCH] powerpc: add little endian flag to syscall_get_arch()
by Richard Guy Briggs
Since both ppc and ppc64 have LE variants which are now reported by uname, add
that flag (__AUDIT_ARCH_LE) to syscall_get_arch() and add AUDIT_ARCH_PPC*LE
variants.
Without this, perf trace and auditctl fail.
Mainline kernel reports ppc64le (per a058801) but there is no matching
AUDIT_ARCH_PPC64LE.
See:
https://www.redhat.com/archives/linux-audit/2014-August/msg00082.html
https://www.redhat.com/archives/linux-audit/2014-December/msg00004.html
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
arch/powerpc/include/asm/syscall.h | 6 +++++-
include/uapi/linux/audit.h | 2 ++
2 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/arch/powerpc/include/asm/syscall.h b/arch/powerpc/include/asm/syscall.h
index 6fa2708..a58acab 100644
--- a/arch/powerpc/include/asm/syscall.h
+++ b/arch/powerpc/include/asm/syscall.h
@@ -90,6 +90,10 @@ static inline void syscall_set_arguments(struct task_struct *task,
static inline int syscall_get_arch(void)
{
- return is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
+ int arch = is_32bit_task() ? AUDIT_ARCH_PPC : AUDIT_ARCH_PPC64;
+#ifdef __LITTLE_ENDIAN__
+ arch |= __AUDIT_ARCH_LE
+#endif
+ return arch;
}
#endif /* _ASM_SYSCALL_H */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 4d100c8..fe29a99 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -364,7 +364,9 @@ enum {
#define AUDIT_ARCH_PARISC (EM_PARISC)
#define AUDIT_ARCH_PARISC64 (EM_PARISC|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_PPC (EM_PPC)
+#define AUDIT_ARCH_PPCLE (EM_PPC|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
+#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_S390 (EM_S390)
#define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SH (EM_SH)
--
1.7.1
10 years
[PATCH] audit: add ppc64 mach support
by Tony Jones
Add support for ppc64le.
$ uname -a
Linux cabernet 3.12.26-3-default #1 SMP Mon Aug 18 15:07:30 UTC 2014 (d318f3a) ppc64le ppc64le ppc64le GNU/Linux
Without this, perf trace and auditctl fail. There is no 32 bit (ppcle).
Signed-off-by: Tony Jones <tonyj(a)suse.de>
---
Index: trunk/lib/libaudit.c
===================================================================
--- trunk/lib/libaudit.c (revision 1011)
+++ trunk/lib/libaudit.c (working copy)
@@ -1195,6 +1195,11 @@
return -6;
break;
#endif
+ case MACH_PPC64LE:
+ if (bits != __AUDIT_ARCH_64BIT)
+ return -6;
+ break;
+
case MACH_86_64: /* fallthrough */
case MACH_PPC64: /* fallthrough */
case MACH_S390X: /* fallthrough */
Index: trunk/lib/libaudit.h
===================================================================
--- trunk/lib/libaudit.h (revision 1011)
+++ trunk/lib/libaudit.h (working copy)
@@ -356,6 +356,9 @@
#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#endif
+#ifndef AUDIT_ARCH_PPC64LE
+#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#endif
//////////////////////////////////////////////////////
// This is an external ABI. Any changes in here will
@@ -438,7 +441,8 @@
MACH_S390,
MACH_ALPHA,
MACH_ARM,
- MACH_AARCH64
+ MACH_AARCH64,
+ MACH_PPC64LE
} machine_t;
/* These are the valid audit failure tunable enum values */
Index: trunk/lib/lookup_table.c
===================================================================
--- trunk/lib/lookup_table.c (revision 1011)
+++ trunk/lib/lookup_table.c (working copy)
@@ -70,6 +70,7 @@
{ MACH_86_64, AUDIT_ARCH_X86_64 },
{ MACH_IA64, AUDIT_ARCH_IA64 },
{ MACH_PPC64, AUDIT_ARCH_PPC64 },
+ { MACH_PPC64LE, AUDIT_ARCH_PPC64LE},
{ MACH_PPC, AUDIT_ARCH_PPC },
{ MACH_S390X, AUDIT_ARCH_S390X },
{ MACH_S390, AUDIT_ARCH_S390 },
@@ -123,6 +124,7 @@
found = ia64_syscall_s2i(sc, &res);
break;
case MACH_PPC64:
+ case MACH_PPC64LE:
case MACH_PPC:
found = ppc_syscall_s2i(sc, &res);
break;
@@ -169,6 +171,7 @@
case MACH_IA64:
return ia64_syscall_i2s(sc);
case MACH_PPC64:
+ case MACH_PPC64LE:
case MACH_PPC:
return ppc_syscall_i2s(sc);
case MACH_S390X:
Index: trunk/lib/machinetab.h
===================================================================
--- trunk/lib/machinetab.h (revision 1011)
+++ trunk/lib/machinetab.h (working copy)
@@ -27,6 +27,7 @@
_S(MACH_86_64, "x86_64" )
_S(MACH_IA64, "ia64" )
_S(MACH_PPC64, "ppc64" )
+_S(MACH_PPC64LE, "ppc64le")
_S(MACH_PPC, "ppc" )
_S(MACH_S390X, "s390x" )
_S(MACH_S390, "s390" )
10 years, 1 month