issuhub.com

Linux Kernel Architecture

(Jacob Rumans) #1

Chapter 19: Auditing


SystemCall Events


The audit subsystem is involved when a system call is entered and when a system call is

finished —audit_syscall_entryis called in the first case, andaudit_syscall_exitis called in

the second case. To make this possible, support by the low-level, architecture-specific interrupt

processing code is required. This support is integrated intodo_syscall_trace, which is called by the

low-level interrupt processing code whenever aninterrupt occurs or when interrupt processing is

finished.^6 For the IA-32 architecture, the implementation is done as follows:

arch/x86/kernel/ptrace_32.c

__attribute__((regparm(3)))

int do_syscall_trace(struct pt_regs *regs, int entryexit)

{

...

if (unlikely(current->audit_context) && !entryexit)

audit_syscall_entry(current, AUDIT_ARCH_I386, regs->orig_eax,

regs->ebx, regs->ecx, regs->edx, regs->esi);

...

if (unlikely(current->audit_context))

audit_syscall_exit(current, AUDITSC_RESULT(regs->eax),

regs->eax);

...

}

The code flow diagram foraudit_syscall_entryis presented in Figure 19-8.

audit_syscall_entry

Build data structure for nested syscalls

Save syscall data in context

Filtering necessary?

audit_filter_syscall

Figure 19-8: Code flow diagram for

audit_syscall_entry.

If the actual system call happened during another system call that was audited, the possibility of linking

multiple audit contexts needs to be utilized by allocating a new audit context, connecting the previous

one with it, and using the freshly allocated context as previous one.

The system call number, the arguments passed to the system call (denoted bya1...a4), and the sys-

tem architecture (such asAUDIT_ARCH_i386for IA-32, or constants for other architectures defined in

<audit.h>) are stored in the audit context as follows:

kernel/auditsc.c

void audit_syscall_entry(struct task_struct *tsk, int arch, int major,

unsigned long a1, unsigned long a2,

unsigned long a3, unsigned long a4)

(^6) Additionally, the flagTIF_SYSCALL_AUDITneeds to be set for this. It is enabled inaudit_allocif the audit filter determines
that system call auditing needs to be activated for a task.

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.