On Wed, Mar 25, 2015 at 5:16 AM, Paul Moore <paul(a)paul-moore.com> wrote:
[NOTE: Adding the linux-arm folks to this thread just in case they
are
interested.]
I'm not an ARM expert, but the kernel #define for AUDIT_ARCH_ARMEB
(below) seems reasonable to me based on the other audit machine
definitions. There is clearly a mismatch between the kernel and the
audit userspace, but I wonder if the issue should be addressed in the
userspace tools. Further, you mention kernel 3.14, what happens with
kernel 3.19 and the most recent audit userspace tools?
> grep "AUDIT_ARCH_ARMEB" include/uapi/linux/audit.h
#define AUDIT_ARCH_ARMEB (EM_ARM)
1.
if no the below commit, audit-2.3.2 is working;
but after the below commit, audit-2.3.2 is not working.
commit 2f978366984a418f38fcf44137be1fbc5a89cfd9
Author: Will Deacon <will.deacon(a)arm.com>
Date: Fri May 4 17:53:52 2012 +0100
ARM: 7412/1: audit: use only AUDIT_ARCH_ARM regardless of endianness
The machine endianness has no direct correspondence to the syscall ABI,
so use only AUDIT_ARCH_ARM when identifying the ABI to the audit tools
in userspace.
Cc: stable(a)vger.kernel.org
Signed-off-by: Will Deacon <will.deacon(a)arm.com>
Signed-off-by: Russell King <rmk+kernel(a)arm.linux.org.uk>
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index d8dbe9c..9650c14 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -906,12 +906,6 @@ long arch_ptrace(struct task_struct *child, long request,
return ret;
}
-#ifdef __ARMEB__
-#define AUDIT_ARCH_NR AUDIT_ARCH_ARMEB
-#else
-#define AUDIT_ARCH_NR AUDIT_ARCH_ARM
-#endif
-
asmlinkage int syscall_trace(int why, struct pt_regs *regs, int scno)
{
unsigned long ip;
@@ -919,7 +913,7 @@ asmlinkage int syscall_trace(int why, struct
pt_regs *regs, int scno)
if (why)
audit_syscall_exit(regs);
else
- audit_syscall_entry(AUDIT_ARCH_NR, scno, regs->ARM_r0,
+ audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0,
regs->ARM_r1, regs->ARM_r2, regs->ARM_r3);
if (!test_thread_flag(TIF_SYSCALL_TRACE))
2.
The latest audit has the changeset of 931 [Improve ARM and AARCH64 support],
so audit can work again.
-Roy