tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[AUDIT] Log correct syscall args for i386 processes on x86_64

The i386 syscall ABI uses different registers. Log those instead of the
x86_64 ones.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

David Woodhouse 488f2eac 0dd8e06b

+13 -7
+13 -7
arch/x86_64/kernel/ptrace.c
··· 630 630 } 631 631 } 632 632 633 - #define audit_arch() (test_thread_flag(TIF_IA32) ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64) 634 - 635 633 asmlinkage void syscall_trace_enter(struct pt_regs *regs) 636 634 { 637 635 /* do the secure computing check first */ ··· 639 641 && (current->ptrace & PT_PTRACED)) 640 642 syscall_trace(regs); 641 643 642 - if (unlikely(current->audit_context)) 643 - audit_syscall_entry(current, audit_arch(), regs->orig_rax, 644 - regs->rdi, regs->rsi, 645 - regs->rdx, regs->r10); 646 - 644 + if (unlikely(current->audit_context)) { 645 + if (test_thread_flag(TIF_IA32)) { 646 + audit_syscall_entry(current, AUDIT_ARCH_I386, 647 + regs->orig_rax, 648 + regs->rbx, regs->rcx, 649 + regs->rdx, regs->rsi); 650 + } else { 651 + audit_syscall_entry(current, AUDIT_ARCH_X86_64, 652 + regs->orig_rax, 653 + regs->rdi, regs->rsi, 654 + regs->rdx, regs->r10); 655 + } 656 + } 647 657 } 648 658 649 659 asmlinkage void syscall_trace_leave(struct pt_regs *regs)