Discussion:
[PATCH 0/2] riscv: add audit support
(too old to reply)
David Abdurachmanov
2018-10-29 10:48:52 UTC
Permalink
This patchset adds system call audit support on riscv (riscv32 &
riscv64).

The pachset was prepared on top of v4.19 tag.

audit-userspace changes were submitted. See:
https://github.com/linux-audit/audit-userspace/pull/73

Tested the following manually:
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and return
value/input arguments seem to be correct)
- /proc/self/loginuid (required by DNF [package manager])

I looked into audit-testsuite and with some adjustments results are:

Failed 4/14 test programs. 19/88 subtests failed.

The failing tests were due to missing CONFIG_IP_NF_MANGLE, 'id -Z' not
printing categories (don't know why), not having loadable kernel module
support enablled and syscall_socketcall not being relevant for new arches.

audit-testsuite with adjustments:
https://github.com/davidlt/audit-testsuite/tree/riscv64

Depends on:
[PATCH 1/2] Move EM_RISCV into elf-em.h
http://lists.infradead.org/pipermail/linux-riscv/2018-October/001885.html

This should solve DNF issues in Fedora 29/RISCV.

David Abdurachmanov (2):
riscv: add audit support
riscv: audit: add audit hook in do_syscall_trace_enter/exit()

arch/riscv/Kconfig | 1 +
arch/riscv/include/asm/ptrace.h | 5 +++++
arch/riscv/include/asm/syscall.h | 10 ++++++++++
arch/riscv/include/asm/thread_info.h | 6 ++++++
arch/riscv/kernel/entry.S | 4 ++--
arch/riscv/kernel/ptrace.c | 5 +++++
include/uapi/linux/audit.h | 2 ++
7 files changed, 31 insertions(+), 2 deletions(-)
--
2.17.2
David Abdurachmanov
2018-10-29 10:48:54 UTC
Permalink
This patch adds auditing functions on entry to and exit from every system
call invocation.

Signed-off-by: David Abdurachmanov <***@gmail.com>
---
arch/riscv/kernel/ptrace.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/arch/riscv/kernel/ptrace.c b/arch/riscv/kernel/ptrace.c
index 9f82a7e34c64..85b0c93f00c6 100644
--- a/arch/riscv/kernel/ptrace.c
+++ b/arch/riscv/kernel/ptrace.c
@@ -18,6 +18,7 @@
#include <asm/ptrace.h>
#include <asm/syscall.h>
#include <asm/thread_info.h>
+#include <linux/audit.h>
#include <linux/ptrace.h>
#include <linux/elf.h>
#include <linux/regset.h>
@@ -111,10 +112,14 @@ void do_syscall_trace_enter(struct pt_regs *regs)
if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
trace_sys_enter(regs, syscall_get_nr(current, regs));
#endif
+
+ audit_syscall_entry(regs->a7, regs->a0, regs->a1, regs->a2, regs->a3);
}

void do_syscall_trace_exit(struct pt_regs *regs)
{
+ audit_syscall_exit(regs);
+
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall_exit(regs, 0);
--
2.17.2
David Abdurachmanov
2018-10-29 10:48:53 UTC
Permalink
On RISC-V (riscv) audit is supported through generic lib/audit.c.
The patch adds required arch specific definitions.

Signed-off-by: David Abdurachmanov <***@gmail.com>
---
arch/riscv/Kconfig | 1 +
arch/riscv/include/asm/ptrace.h | 5 +++++
arch/riscv/include/asm/syscall.h | 10 ++++++++++
arch/riscv/include/asm/thread_info.h | 6 ++++++
arch/riscv/kernel/entry.S | 4 ++--
include/uapi/linux/audit.h | 2 ++
6 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..8e6d404a4ed0 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
select GENERIC_STRNLEN_USER
select GENERIC_SMP_IDLE_THREAD
select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+ select HAVE_ARCH_AUDITSYSCALL
select HAVE_MEMBLOCK
select HAVE_MEMBLOCK_NODE_MAP
select HAVE_DMA_CONTIGUOUS
diff --git a/arch/riscv/include/asm/ptrace.h b/arch/riscv/include/asm/ptrace.h
index 2c5df945d43c..62c5e9d35596 100644
--- a/arch/riscv/include/asm/ptrace.h
+++ b/arch/riscv/include/asm/ptrace.h
@@ -113,6 +113,11 @@ static inline void frame_pointer_set(struct pt_regs *regs,
SET_FP(regs, val);
}

+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+ return regs->a0;
+}
+
#endif /* __ASSEMBLY__ */

#endif /* _ASM_RISCV_PTRACE_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..bba3da6ef157 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -18,6 +18,7 @@
#ifndef _ASM_RISCV_SYSCALL_H
#define _ASM_RISCV_SYSCALL_H

+#include <uapi/linux/audit.h>
#include <linux/sched.h>
#include <linux/err.h>

@@ -99,4 +100,13 @@ static inline void syscall_set_arguments(struct task_struct *task,
memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
}

+static inline int syscall_get_arch(void)
+{
+#ifdef CONFIG_64BIT
+ return AUDIT_ARCH_RISCV64;
+#else
+ return AUDIT_ARCH_RISCV32;
+#endif
+}
+
#endif /* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..1c9cc8389928 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,13 +80,19 @@ struct thread_info {
#define TIF_RESTORE_SIGMASK 4 /* restore signal mask in do_signal() */
#define TIF_MEMDIE 5 /* is terminating due to OOM killer */
#define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint instrumentation */
+#define TIF_SYSCALL_AUDIT 7 /* syscall auditing */

#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
#define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
+#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)

#define _TIF_WORK_MASK \
(_TIF_NOTIFY_RESUME | _TIF_SIGPENDING | _TIF_NEED_RESCHED)

+#define _TIF_SYSCALL_WORK \
+ (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_TRACEPOINT | _TIF_SYSCALL_AUDIT)
+
#endif /* _ASM_RISCV_THREAD_INFO_H */
diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
index fa2c08e3c05e..2a6c2e7aaff3 100644
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
@@ -202,7 +202,7 @@ handle_syscall:
REG_S s2, PT_SEPC(sp)
/* Trace syscalls, but only if requested by the user. */
REG_L t0, TASK_TI_FLAGS(tp)
- andi t0, t0, _TIF_SYSCALL_TRACE
+ andi t0, t0, _TIF_SYSCALL_WORK
bnez t0, handle_syscall_trace_enter
check_syscall_nr:
/* Check to make sure we don't jump to a bogus syscall number. */
@@ -222,7 +222,7 @@ ret_from_syscall:
REG_S a0, PT_A0(sp)
/* Trace syscalls, but only if requested by the user. */
REG_L t0, TASK_TI_FLAGS(tp)
- andi t0, t0, _TIF_SYSCALL_TRACE
+ andi t0, t0, _TIF_SYSCALL_WORK
bnez t0, handle_syscall_trace_exit

ret_from_exception:
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..d0e037a96a7b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,8 @@ enum {
/* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
#define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV32 (EM_RISCV|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_S390 (EM_S390)
#define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SH (EM_SH)
--
2.17.2
Paul Moore
2018-10-29 22:57:44 UTC
Permalink
On Mon, Oct 29, 2018 at 6:49 AM David Abdurachmanov
Post by David Abdurachmanov
This patchset adds system call audit support on riscv (riscv32 &
riscv64).
The pachset was prepared on top of v4.19 tag.
https://github.com/linux-audit/audit-userspace/pull/73
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and return
value/input arguments seem to be correct)
- /proc/self/loginuid (required by DNF [package manager])
Failed 4/14 test programs. 19/88 subtests failed.
The failing tests were due to missing CONFIG_IP_NF_MANGLE, 'id -Z' not
printing categories (don't know why), not having loadable kernel module
support enablled and syscall_socketcall not being relevant for new arches.
https://github.com/davidlt/audit-testsuite/tree/riscv64
[PATCH 1/2] Move EM_RISCV into elf-em.h
http://lists.infradead.org/pipermail/linux-riscv/2018-October/001885.html
This should solve DNF issues in Fedora 29/RISCV.
riscv: add audit support
riscv: audit: add audit hook in do_syscall_trace_enter/exit()
arch/riscv/Kconfig | 1 +
arch/riscv/include/asm/ptrace.h | 5 +++++
arch/riscv/include/asm/syscall.h | 10 ++++++++++
arch/riscv/include/asm/thread_info.h | 6 ++++++
arch/riscv/kernel/entry.S | 4 ++--
arch/riscv/kernel/ptrace.c | 5 +++++
include/uapi/linux/audit.h | 2 ++
7 files changed, 31 insertions(+), 2 deletions(-)
Thanks for the patches David, I'll be able to take a closer look next
week once the merge window is closed.
--
paul moore
www.paul-moore.com
Paul Moore
2018-11-06 20:06:01 UTC
Permalink
On Mon, Oct 29, 2018 at 6:49 AM David Abdurachmanov
Post by David Abdurachmanov
This patchset adds system call audit support on riscv (riscv32 &
riscv64).
The pachset was prepared on top of v4.19 tag.
https://github.com/linux-audit/audit-userspace/pull/73
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and return
value/input arguments seem to be correct)
- /proc/self/loginuid (required by DNF [package manager])
Failed 4/14 test programs. 19/88 subtests failed.
I realize that the test suite failures are likely not due to your
code, but rather shortcomings in the test suite itself, but I think it
is important to resolve these problems before we commit the kernel
changes.

You mention Fedora 29/RISCV below, is that the distro you are using
for testing? Also, are you using a stock kernel config from the
distro or your own?
Post by David Abdurachmanov
The failing tests were due to missing CONFIG_IP_NF_MANGLE ...
Assuming a general purpose like Fedora, that seems like an odd
omission. Any chance you can rebuild your kernel with the mangle
table?
Post by David Abdurachmanov
... 'id -Z' not printing categories (don't know why) ...
Are you seeing the MLS/MCS sensitivity level, s0, or are you not
seeing any of the MLS/MCS fields?
Post by David Abdurachmanov
... not having loadable kernel module support enablled ...
Much like the netfilter config, any chance you can enable this in your kernel?
Post by David Abdurachmanov
... and syscall_socketcall not being relevant for new arches.
We will probably need to make that ABI dependent in the test suite.
Post by David Abdurachmanov
https://github.com/davidlt/audit-testsuite/tree/riscv64
[PATCH 1/2] Move EM_RISCV into elf-em.h
http://lists.infradead.org/pipermail/linux-riscv/2018-October/001885.html
This should solve DNF issues in Fedora 29/RISCV.
--
paul moore
www.paul-moore.com
David Abdurachmanov
2018-11-06 21:25:20 UTC
Permalink
Post by Paul Moore
On Mon, Oct 29, 2018 at 6:49 AM David Abdurachmanov
Post by David Abdurachmanov
This patchset adds system call audit support on riscv (riscv32 &
riscv64).
The pachset was prepared on top of v4.19 tag.
https://github.com/linux-audit/audit-userspace/pull/73
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and return
value/input arguments seem to be correct)
- /proc/self/loginuid (required by DNF [package manager])
Failed 4/14 test programs. 19/88 subtests failed.
I realize that the test suite failures are likely not due to your
code, but rather shortcomings in the test suite itself, but I think it
is important to resolve these problems before we commit the kernel
changes.
You mention Fedora 29/RISCV below, is that the distro you are using
for testing? Also, are you using a stock kernel config from the
distro or your own?
Post by David Abdurachmanov
The failing tests were due to missing CONFIG_IP_NF_MANGLE ...
Assuming a general purpose like Fedora, that seems like an odd
omission. Any chance you can rebuild your kernel with the mangle
table?
When we build Fedora, the kernel is not built in a standard way. It's only
build statically and contains minimal setup. We also don't do loadable
kernel modules, because there wasn't support for it months ago. It's
not tested yet by us.

I did rebuild with CONFIG_IP_NF_MANGLE, but I think, there was more
stuff missing. Have to look again.

I am experimenting on building kernel in normal Fedora way, but there
are some issues right now. It also takes 12-24 hours for a single attempt.
Post by Paul Moore
Post by David Abdurachmanov
... 'id -Z' not printing categories (don't know why) ...
Are you seeing the MLS/MCS sensitivity level, s0, or are you not
seeing any of the MLS/MCS fields?
I boot my VM "selinux=1 enforcing=0".

[***@fedora-riscv ~]# semanage login -l

Login Name SELinux User MLS/MCS Range Service

__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
[***@fedora-riscv ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0
Post by Paul Moore
Post by David Abdurachmanov
... not having loadable kernel module support enablled ...
Much like the netfilter config, any chance you can enable this in your kernel?
Experimenting, not sure if it works yet.
Post by Paul Moore
Post by David Abdurachmanov
... and syscall_socketcall not being relevant for new arches.
We will probably need to make that ABI dependent in the test suite.
Post by David Abdurachmanov
https://github.com/davidlt/audit-testsuite/tree/riscv64
[PATCH 1/2] Move EM_RISCV into elf-em.h
http://lists.infradead.org/pipermail/linux-riscv/2018-October/001885.html
This should solve DNF issues in Fedora 29/RISCV.
--
paul moore
www.paul-moore.com
David Abdurachmanov
2018-11-07 10:45:53 UTC
Permalink
On Tue, Nov 6, 2018 at 10:25 PM David Abdurachmanov
Post by Paul Moore
On Mon, Oct 29, 2018 at 6:49 AM David Abdurachmanov
Post by David Abdurachmanov
This patchset adds system call audit support on riscv (riscv32 &
riscv64).
The pachset was prepared on top of v4.19 tag.
https://github.com/linux-audit/audit-userspace/pull/73
- auditctl (checked several different example rules from internet)
- aulast
- aulastlog
- ausearch
- ausyscall
- aureport
- autrace (compared some syscalls to strace: order and return
value/input arguments seem to be correct)
- /proc/self/loginuid (required by DNF [package manager])
Failed 4/14 test programs. 19/88 subtests failed.
I realize that the test suite failures are likely not due to your
code, but rather shortcomings in the test suite itself, but I think it
is important to resolve these problems before we commit the kernel
changes.
I did some extra work this evening (well, after midnight) and I am passing
all bits I would expect to pass.

Test Summary Report
-------------------
syscall_socketcall/test (Wstat: 0 Tests: 3 Failed: 3)
Failed tests: 1-3
Files=14, Tests=88, 107 wallclock secs ( 1.07 usr 0.38 sys + 58.77
cusr 19.32 csys = 79.54 CPU)
Result: FAIL
Failed 1/14 test programs. 3/88 subtests failed.

The only failing test now is syscall_socketcall, which is not supported on
riscv and others.
On a some architectures-for example, x86-64 and ARM—there is no
socketcall() system call; instead socket(2), accept(2), bind(2), and
so on really are implemented as separate system calls.

Then I redone syscall_socketcall test to fit new 64-bit arches. It still
mostly checks the same thing, but uses different syscall. Instead of
socketcall(SYS_CONNECT, ..) we check for connect(..). This will not
generate SOCKETCALL record, thus instead check for SYSCALL
record where syscall=connect.

All is here: https://github.com/davidlt/audit-testsuite/commits/riscv64

With that:

Running as user root
with context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
on system Fedora

exec_execve/test ......... ok
exec_name/test ........... ok
file_create/test ......... ok
file_delete/test ......... ok
file_rename/test ......... ok
filter_exclude/test ...... ok
filter_sessionid/test .... ok
login_tty/test ........... ok
lost_reset/test .......... ok
netfilter_pkt/test ....... ok
syscalls_file/test ....... ok
syscall_module/test ...... ok
syscall_socketcall/test .. ok
user_msg/test ............ ok
All tests successful.
Files=14, Tests=88, 123 wallclock secs ( 1.26 usr 0.59 sys + 70.85
cusr 22.60 csys = 95.30 CPU)
Result: PASS

Same audit kernel patch and libaudit, nothing changed here.

Hopefully this allows to move forward as I would love to have
audit & seccomp in the next kernel version (and thus Fedora).

Thanks,
david
Palmer Dabbelt
2018-11-13 01:52:20 UTC
Permalink
Post by David Abdurachmanov
On RISC-V (riscv) audit is supported through generic lib/audit.c.
The patch adds required arch specific definitions.
---
arch/riscv/Kconfig | 1 +
arch/riscv/include/asm/ptrace.h | 5 +++++
arch/riscv/include/asm/syscall.h | 10 ++++++++++
arch/riscv/include/asm/thread_info.h | 6 ++++++
arch/riscv/kernel/entry.S | 4 ++--
include/uapi/linux/audit.h | 2 ++
6 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..8e6d404a4ed0 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
select GENERIC_STRNLEN_USER
select GENERIC_SMP_IDLE_THREAD
select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+ select HAVE_ARCH_AUDITSYSCALL
select HAVE_MEMBLOCK
select HAVE_MEMBLOCK_NODE_MAP
select HAVE_DMA_CONTIGUOUS
diff --git a/arch/riscv/include/asm/ptrace.h b/arch/riscv/include/asm/ptrace.h
index 2c5df945d43c..62c5e9d35596 100644
--- a/arch/riscv/include/asm/ptrace.h
+++ b/arch/riscv/include/asm/ptrace.h
@@ -113,6 +113,11 @@ static inline void frame_pointer_set(struct pt_regs *regs,
SET_FP(regs, val);
}
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+ return regs->a0;
+}
+
#endif /* __ASSEMBLY__ */
#endif /* _ASM_RISCV_PTRACE_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..bba3da6ef157 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -18,6 +18,7 @@
#ifndef _ASM_RISCV_SYSCALL_H
#define _ASM_RISCV_SYSCALL_H
+#include <uapi/linux/audit.h>
#include <linux/sched.h>
#include <linux/err.h>
@@ -99,4 +100,13 @@ static inline void syscall_set_arguments(struct task_struct *task,
memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
}
+static inline int syscall_get_arch(void)
+{
+#ifdef CONFIG_64BIT
+ return AUDIT_ARCH_RISCV64;
+#else
+ return AUDIT_ARCH_RISCV32;
+#endif
+}
+
#endif /* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..1c9cc8389928 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,13 +80,19 @@ struct thread_info {
#define TIF_RESTORE_SIGMASK 4 /* restore signal mask in do_signal() */
#define TIF_MEMDIE 5 /* is terminating due to OOM killer */
#define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint instrumentation */
+#define TIF_SYSCALL_AUDIT 7 /* syscall auditing */
#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
#define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
+#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
#define _TIF_WORK_MASK \
(_TIF_NOTIFY_RESUME | _TIF_SIGPENDING | _TIF_NEED_RESCHED)
+#define _TIF_SYSCALL_WORK \
+ (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_TRACEPOINT | _TIF_SYSCALL_AUDIT)
+
#endif /* _ASM_RISCV_THREAD_INFO_H */
diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
index fa2c08e3c05e..2a6c2e7aaff3 100644
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
REG_S s2, PT_SEPC(sp)
/* Trace syscalls, but only if requested by the user. */
REG_L t0, TASK_TI_FLAGS(tp)
- andi t0, t0, _TIF_SYSCALL_TRACE
+ andi t0, t0, _TIF_SYSCALL_WORK
bnez t0, handle_syscall_trace_enter
/* Check to make sure we don't jump to a bogus syscall number. */
REG_S a0, PT_A0(sp)
/* Trace syscalls, but only if requested by the user. */
REG_L t0, TASK_TI_FLAGS(tp)
- andi t0, t0, _TIF_SYSCALL_TRACE
+ andi t0, t0, _TIF_SYSCALL_WORK
bnez t0, handle_syscall_trace_exit
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..d0e037a96a7b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,8 @@ enum {
/* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
#define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV32 (EM_RISCV|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_S390 (EM_S390)
#define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SH (EM_SH)
I can't seem to figure out how to dig the rest of the thread out of my inbox
(I'm in an airport), so I'm just replying here.

I've added this to next-audit, which will soon filter into for-next. I'm not
sure if this is 100% settled, but I can't find any issues with it so I think
it's best to get this out for testing.
Paul Moore
2018-11-13 23:34:18 UTC
Permalink
Post by Palmer Dabbelt
Post by David Abdurachmanov
On RISC-V (riscv) audit is supported through generic lib/audit.c.
The patch adds required arch specific definitions.
---
arch/riscv/Kconfig | 1 +
arch/riscv/include/asm/ptrace.h | 5 +++++
arch/riscv/include/asm/syscall.h | 10 ++++++++++
arch/riscv/include/asm/thread_info.h | 6 ++++++
arch/riscv/kernel/entry.S | 4 ++--
include/uapi/linux/audit.h | 2 ++
6 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..8e6d404a4ed0 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
select GENERIC_STRNLEN_USER
select GENERIC_SMP_IDLE_THREAD
select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+ select HAVE_ARCH_AUDITSYSCALL
select HAVE_MEMBLOCK
select HAVE_MEMBLOCK_NODE_MAP
select HAVE_DMA_CONTIGUOUS
diff --git a/arch/riscv/include/asm/ptrace.h b/arch/riscv/include/asm/ptrace.h
index 2c5df945d43c..62c5e9d35596 100644
--- a/arch/riscv/include/asm/ptrace.h
+++ b/arch/riscv/include/asm/ptrace.h
@@ -113,6 +113,11 @@ static inline void frame_pointer_set(struct pt_regs *regs,
SET_FP(regs, val);
}
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+ return regs->a0;
+}
+
#endif /* __ASSEMBLY__ */
#endif /* _ASM_RISCV_PTRACE_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..bba3da6ef157 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -18,6 +18,7 @@
#ifndef _ASM_RISCV_SYSCALL_H
#define _ASM_RISCV_SYSCALL_H
+#include <uapi/linux/audit.h>
#include <linux/sched.h>
#include <linux/err.h>
@@ -99,4 +100,13 @@ static inline void syscall_set_arguments(struct task_struct *task,
memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
}
+static inline int syscall_get_arch(void)
+{
+#ifdef CONFIG_64BIT
+ return AUDIT_ARCH_RISCV64;
+#else
+ return AUDIT_ARCH_RISCV32;
+#endif
+}
+
#endif /* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..1c9cc8389928 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,13 +80,19 @@ struct thread_info {
#define TIF_RESTORE_SIGMASK 4 /* restore signal mask in do_signal() */
#define TIF_MEMDIE 5 /* is terminating due to OOM killer */
#define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint instrumentation */
+#define TIF_SYSCALL_AUDIT 7 /* syscall auditing */
#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
#define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
+#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
#define _TIF_WORK_MASK \
(_TIF_NOTIFY_RESUME | _TIF_SIGPENDING | _TIF_NEED_RESCHED)
+#define _TIF_SYSCALL_WORK \
+ (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_TRACEPOINT | _TIF_SYSCALL_AUDIT)
+
#endif /* _ASM_RISCV_THREAD_INFO_H */
diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
index fa2c08e3c05e..2a6c2e7aaff3 100644
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
REG_S s2, PT_SEPC(sp)
/* Trace syscalls, but only if requested by the user. */
REG_L t0, TASK_TI_FLAGS(tp)
- andi t0, t0, _TIF_SYSCALL_TRACE
+ andi t0, t0, _TIF_SYSCALL_WORK
bnez t0, handle_syscall_trace_enter
/* Check to make sure we don't jump to a bogus syscall number. */
REG_S a0, PT_A0(sp)
/* Trace syscalls, but only if requested by the user. */
REG_L t0, TASK_TI_FLAGS(tp)
- andi t0, t0, _TIF_SYSCALL_TRACE
+ andi t0, t0, _TIF_SYSCALL_WORK
bnez t0, handle_syscall_trace_exit
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..d0e037a96a7b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,8 @@ enum {
/* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
#define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV32 (EM_RISCV|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_S390 (EM_S390)
#define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SH (EM_SH)
I can't seem to figure out how to dig the rest of the thread out of my inbox
(I'm in an airport), so I'm just replying here.
I've added this to next-audit, which will soon filter into for-next. I'm not
sure if this is 100% settled, but I can't find any issues with it so I think
it's best to get this out for testing.
If you RISCV guys are happy, and it is passing the audit-testsuite
(which I believe it is based on some brief discussions with David on
Freenode), then I think it is okay from my point of view.
--
paul moore
www.paul-moore.com
Palmer Dabbelt
2018-11-14 23:40:42 UTC
Permalink
Post by Paul Moore
Post by Palmer Dabbelt
Post by David Abdurachmanov
On RISC-V (riscv) audit is supported through generic lib/audit.c.
The patch adds required arch specific definitions.
---
arch/riscv/Kconfig | 1 +
arch/riscv/include/asm/ptrace.h | 5 +++++
arch/riscv/include/asm/syscall.h | 10 ++++++++++
arch/riscv/include/asm/thread_info.h | 6 ++++++
arch/riscv/kernel/entry.S | 4 ++--
include/uapi/linux/audit.h | 2 ++
6 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index a344980287a5..8e6d404a4ed0 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -28,6 +28,7 @@ config RISCV
select GENERIC_STRNLEN_USER
select GENERIC_SMP_IDLE_THREAD
select GENERIC_ATOMIC64 if !64BIT || !RISCV_ISA_A
+ select HAVE_ARCH_AUDITSYSCALL
select HAVE_MEMBLOCK
select HAVE_MEMBLOCK_NODE_MAP
select HAVE_DMA_CONTIGUOUS
diff --git a/arch/riscv/include/asm/ptrace.h b/arch/riscv/include/asm/ptrace.h
index 2c5df945d43c..62c5e9d35596 100644
--- a/arch/riscv/include/asm/ptrace.h
+++ b/arch/riscv/include/asm/ptrace.h
@@ -113,6 +113,11 @@ static inline void frame_pointer_set(struct pt_regs *regs,
SET_FP(regs, val);
}
+static inline unsigned long regs_return_value(struct pt_regs *regs)
+{
+ return regs->a0;
+}
+
#endif /* __ASSEMBLY__ */
#endif /* _ASM_RISCV_PTRACE_H */
diff --git a/arch/riscv/include/asm/syscall.h b/arch/riscv/include/asm/syscall.h
index 8d25f8904c00..bba3da6ef157 100644
--- a/arch/riscv/include/asm/syscall.h
+++ b/arch/riscv/include/asm/syscall.h
@@ -18,6 +18,7 @@
#ifndef _ASM_RISCV_SYSCALL_H
#define _ASM_RISCV_SYSCALL_H
+#include <uapi/linux/audit.h>
#include <linux/sched.h>
#include <linux/err.h>
@@ -99,4 +100,13 @@ static inline void syscall_set_arguments(struct task_struct *task,
memcpy(&regs->a1 + i * sizeof(regs->a1), args, n * sizeof(regs->a0));
}
+static inline int syscall_get_arch(void)
+{
+#ifdef CONFIG_64BIT
+ return AUDIT_ARCH_RISCV64;
+#else
+ return AUDIT_ARCH_RISCV32;
+#endif
+}
+
#endif /* _ASM_RISCV_SYSCALL_H */
diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
index f8fa1cd2dad9..1c9cc8389928 100644
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -80,13 +80,19 @@ struct thread_info {
#define TIF_RESTORE_SIGMASK 4 /* restore signal mask in do_signal() */
#define TIF_MEMDIE 5 /* is terminating due to OOM killer */
#define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint instrumentation */
+#define TIF_SYSCALL_AUDIT 7 /* syscall auditing */
#define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
#define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
+#define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
+#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
#define _TIF_WORK_MASK \
(_TIF_NOTIFY_RESUME | _TIF_SIGPENDING | _TIF_NEED_RESCHED)
+#define _TIF_SYSCALL_WORK \
+ (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_TRACEPOINT | _TIF_SYSCALL_AUDIT)
+
#endif /* _ASM_RISCV_THREAD_INFO_H */
diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
index fa2c08e3c05e..2a6c2e7aaff3 100644
--- a/arch/riscv/kernel/entry.S
+++ b/arch/riscv/kernel/entry.S
REG_S s2, PT_SEPC(sp)
/* Trace syscalls, but only if requested by the user. */
REG_L t0, TASK_TI_FLAGS(tp)
- andi t0, t0, _TIF_SYSCALL_TRACE
+ andi t0, t0, _TIF_SYSCALL_WORK
bnez t0, handle_syscall_trace_enter
/* Check to make sure we don't jump to a bogus syscall number. */
REG_S a0, PT_A0(sp)
/* Trace syscalls, but only if requested by the user. */
REG_L t0, TASK_TI_FLAGS(tp)
- andi t0, t0, _TIF_SYSCALL_TRACE
+ andi t0, t0, _TIF_SYSCALL_WORK
bnez t0, handle_syscall_trace_exit
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 818ae690ab79..d0e037a96a7b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -399,6 +399,8 @@ enum {
/* do not define AUDIT_ARCH_PPCLE since it is not supported by audit */
#define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV32 (EM_RISCV|__AUDIT_ARCH_LE)
+#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
#define AUDIT_ARCH_S390 (EM_S390)
#define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
#define AUDIT_ARCH_SH (EM_SH)
I can't seem to figure out how to dig the rest of the thread out of my inbox
(I'm in an airport), so I'm just replying here.
I've added this to next-audit, which will soon filter into for-next. I'm not
sure if this is 100% settled, but I can't find any issues with it so I think
it's best to get this out for testing.
If you RISCV guys are happy, and it is passing the audit-testsuite
(which I believe it is based on some brief discussions with David on
Freenode), then I think it is okay from my point of view.
I haven't run the test suite personally, but I trust that David has done so if
he said so (I remember having seen him say he did as well).

Thanks!

Loading...