Commit 84db564a authored by Richard Guy Briggs's avatar Richard Guy Briggs Committed by Eric Paris

audit: add arch field to seccomp event log

The AUDIT_SECCOMP record looks something like this:

type=SECCOMP msg=audit(1373478171.953:32775): auid=4325 uid=4325 gid=4325 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0 pid=12381 comm="test" sig=31 syscall=231 compat=0 ip=0x39ea8bca89 code=0x0

In order to determine what syscall 231 maps to, we need to have the arch= field right before it.

To see the event, compile this test.c program:

=====
int main(void)
{
        return seccomp_load(seccomp_init(SCMP_ACT_KILL));
}
=====

gcc -g test.c -o test -lseccomp

After running the program, find the record by:  ausearch --start recent -m SECCOMP -i
Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 4a99854c
...@@ -67,6 +67,7 @@ ...@@ -67,6 +67,7 @@
#include <linux/binfmts.h> #include <linux/binfmts.h>
#include <linux/highmem.h> #include <linux/highmem.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <asm/syscall.h>
#include <linux/capability.h> #include <linux/capability.h>
#include <linux/fs_struct.h> #include <linux/fs_struct.h>
#include <linux/compat.h> #include <linux/compat.h>
...@@ -2488,11 +2489,9 @@ void __audit_seccomp(unsigned long syscall, long signr, int code) ...@@ -2488,11 +2489,9 @@ void __audit_seccomp(unsigned long syscall, long signr, int code)
if (unlikely(!ab)) if (unlikely(!ab))
return; return;
audit_log_task(ab); audit_log_task(ab);
audit_log_format(ab, " sig=%ld", signr); audit_log_format(ab, " sig=%ld arch=%x syscall=%ld compat=%d ip=0x%lx code=0x%x",
audit_log_format(ab, " syscall=%ld", syscall); signr, syscall_get_arch(), syscall, is_compat_task(),
audit_log_format(ab, " compat=%d", is_compat_task()); KSTK_EIP(current), code);
audit_log_format(ab, " ip=0x%lx", KSTK_EIP(current));
audit_log_format(ab, " code=0x%x", code);
audit_log_end(ab); audit_log_end(ab);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment