• 's avatar
    [AUDIT] Don't allow ptrace to fool auditing, log arch of audited syscalls. · 2fd6f58b
    authored
    We were calling ptrace_notify() after auditing the syscall and arguments,
    but the debugger could have _changed_ them before the syscall was actually
    invoked. Reorder the calls to fix that.
    
    While we're touching ever call to audit_syscall_entry(), we also make it
    take an extra argument: the architecture of the syscall which was made,
    because some architectures allow more than one type of syscall.
    
    Also add an explicit success/failure flag to audit_syscall_exit(), for
    the benefit of architectures which return that in a condition register
    rather than only returning a single register.
    
    Change type of syscall return value to 'long' not 'int'.
    Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
    2fd6f58b
ptrace.c 7.66 KB