32-bit socketcalls were not being logged by audit on x86_64 systems. Log them. This is basically a duplicate of the call from net/socket.c:sys_socketcall(), but it addresses the impedance mismatch between 32-bit userspace process and 64-bit kernel audit.
See: https://github.com/linux-audit/audit-kernel/issues/14 Signed-off-by: Richard Guy Briggs <r...@redhat.com> -- v2: Move work to audit_socketcall_compat() and use audit_dummy_context(). --- include/linux/audit.h | 16 ++++++++++++++++ net/compat.c | 15 +++++++++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 9d4443f..43d8003 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -387,6 +387,18 @@ static inline int audit_socketcall(int nargs, unsigned long *args) return __audit_socketcall(nargs, args); return 0; } +static inline int audit_socketcall_compat(int nargs, u32 *args) +{ + if (unlikely(!audit_dummy_context())) { + int i; + unsigned long a[AUDITSC_ARGS]; + + for (i=0; i<nargs; i++) + a[i] = (unsigned long)args[i]; + return __audit_socketcall(nargs, a); + } + return 0; +} static inline int audit_sockaddr(int len, void *addr) { if (unlikely(!audit_dummy_context())) @@ -513,6 +525,10 @@ static inline int audit_socketcall(int nargs, unsigned long *args) { return 0; } +static inline int audit_socketcall_compat(int nargs, u32 *args) +{ + return 0; +} static inline void audit_fd_pair(int fd1, int fd2) { } static inline int audit_sockaddr(int len, void *addr) diff --git a/net/compat.c b/net/compat.c index 1cd2ec0..f0404d4 100644 --- a/net/compat.c +++ b/net/compat.c @@ -22,6 +22,7 @@ #include <linux/filter.h> #include <linux/compat.h> #include <linux/security.h> +#include <linux/audit.h> #include <linux/export.h> #include <net/scm.h> @@ -781,14 +782,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd, struct compat_mmsghdr __user *, mmsg, COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) { + unsigned int len; int ret; - u32 a[6]; + u32 a[AUDITSC_ARGS]; u32 a0, a1; if (call < SYS_SOCKET || call > SYS_SENDMMSG) return -EINVAL; - if (copy_from_user(a, args, nas[call])) + len = nas[call]; + if (len > sizeof(a)) + return -EINVAL; + + if (copy_from_user(a, args, len)) return -EFAULT; + + ret = audit_socketcall_compat(len/sizeof(a[0]), a); + if (ret) + return ret; + a0 = a[0]; a1 = a[1]; -- 1.7.1