[AUDIT] Don't allow ptrace to fool auditing, log arch of audited syscalls.
We were calling ptrace_notify() after auditing the syscall and arguments,
but the debugger could have _changed_ them before the syscall was actually
invoked. Reorder the calls to fix that.
While we're touching ever call to audit_syscall_entry(), we also make it
take an extra argument: the architecture of the syscall which was made,
because some architectures allow more than one type of syscall.
Also add an explicit success/failure flag to audit_syscall_exit(), for
the benefit of architectures which return that in a condition register
rather than only returning a single register.
Change type of syscall return value to 'long' not 'int'.
Signed-off-by: 
David Woodhouse <dwmw2@infradead.org>
Showing
- arch/i386/kernel/ptrace.c 9 additions, 10 deletionsarch/i386/kernel/ptrace.c
- arch/ia64/kernel/ptrace.c 13 additions, 8 deletionsarch/ia64/kernel/ptrace.c
- arch/mips/kernel/ptrace.c 28 additions, 10 deletionsarch/mips/kernel/ptrace.c
- arch/ppc64/kernel/ptrace.c 10 additions, 5 deletionsarch/ppc64/kernel/ptrace.c
- arch/s390/kernel/ptrace.c 11 additions, 10 deletionsarch/s390/kernel/ptrace.c
- arch/x86_64/kernel/ptrace.c 8 additions, 5 deletionsarch/x86_64/kernel/ptrace.c
- include/linux/audit.h 44 additions, 4 deletionsinclude/linux/audit.h
- kernel/auditsc.c 16 additions, 6 deletionskernel/auditsc.c
Loading
Please register or sign in to comment