From: Martin Schwidefsky This patch adds the TIF_SYSCALL_AUDIT option to the s390 ptrace interface. --- 25-akpm/arch/s390/kernel/entry.S | 16 ++++++++++++---- 25-akpm/arch/s390/kernel/entry64.S | 16 ++++++++++++---- 25-akpm/arch/s390/kernel/ptrace.c | 10 +++++++++- 25-akpm/include/asm-s390/thread_info.h | 2 ++ 4 files changed, 35 insertions(+), 9 deletions(-) diff -puN arch/s390/kernel/entry64.S~light-weight-auditing-framework-for-s390 arch/s390/kernel/entry64.S --- 25/arch/s390/kernel/entry64.S~light-weight-auditing-framework-for-s390 2004-04-14 18:37:52.715000360 -0700 +++ 25-akpm/arch/s390/kernel/entry64.S 2004-04-14 18:37:52.722999144 -0700 @@ -227,7 +227,7 @@ sysc_do_restart: larl %r10,sys_call_table_emu # use 31 bit emulation system calls sysc_noemu: #endif - tm __TI_flags+7(%r9),_TIF_SYSCALL_TRACE + tm __TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) lgf %r8,0(%r7,%r10) # load address of system call routine jo sysc_tracesys basr %r14,%r8 # call sys_xxxx @@ -299,6 +299,8 @@ __critical_end: # special linkage: %r12 contains the return address for trace_svc # sysc_tracesys: + la %r2,SP_PTREGS(%r15) # load pt_regs + la %r3,0 srl %r7,2 stg %r7,SP_R2(%r15) brasl %r14,syscall_trace @@ -314,8 +316,10 @@ sysc_tracego: basr %r14,%r8 # call sys_xxx stg %r2,SP_R2(%r15) # store return value sysc_tracenogo: - tm __TI_flags+7(%r9),_TIF_SYSCALL_TRACE + tm __TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) jno sysc_return + la %r2,SP_PTREGS(%r15) # load pt_regs + la %r3,1 larl %r14,sysc_return # return point is sysc_return jg syscall_trace @@ -541,7 +545,7 @@ pgm_svcstd: larl %r10,sys_call_table_emu # use 31 bit emulation system calls pgm_svcper_noemu: #endif - tm __TI_flags+7(%r9),_TIF_SYSCALL_TRACE + tm __TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) lgf %r8,0(%r7,%r10) # load address of system call routine jo pgm_tracesys basr %r14,%r8 # call sys_xxxx @@ -566,6 +570,8 @@ pgm_svcper_nosig: # call trace before and after sys_call # pgm_tracesys: + la %r2,SP_PTREGS(%r15) # load pt_regs + la %r3,0 srlg %r7,%r7,2 stg %r7,SP_R2(%r15) brasl %r14,syscall_trace @@ -581,8 +587,10 @@ pgm_svc_go: basr %r14,%r8 # call sys_xxx stg %r2,SP_R2(%r15) # store return value pgm_svc_nogo: - tm __TI_flags+7(%r9),_TIF_SYSCALL_TRACE + tm __TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) jno pgm_svcret + la %r2,SP_PTREGS(%r15) # load pt_regs + la %r3,1 larl %r14,pgm_svcret # return point is sysc_return jg syscall_trace diff -puN arch/s390/kernel/entry.S~light-weight-auditing-framework-for-s390 arch/s390/kernel/entry.S --- 25/arch/s390/kernel/entry.S~light-weight-auditing-framework-for-s390 2004-04-14 18:37:52.717000056 -0700 +++ 25-akpm/arch/s390/kernel/entry.S 2004-04-14 18:37:52.723998992 -0700 @@ -235,7 +235,7 @@ sysc_enter: lr %r7,%r1 # copy svc number to %r7 sla %r7,2 # *4 sysc_do_restart: - tm __TI_flags+3(%r9),_TIF_SYSCALL_TRACE + tm __TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) l %r8,sys_call_table-system_call(%r7,%r13) # get system call addr. bo BASED(sysc_tracesys) basr %r14,%r8 # call sys_xxxx @@ -309,6 +309,8 @@ __critical_end: # sysc_tracesys: l %r1,BASED(.Ltrace) + la %r2,SP_PTREGS(%r15) # load pt_regs + la %r3,0 srl %r7,2 st %r7,SP_R2(%r15) basr %r14,%r1 @@ -323,9 +325,11 @@ sysc_tracego: basr %r14,%r8 # call sys_xxx st %r2,SP_R2(%r15) # store return value sysc_tracenogo: - tm __TI_flags+3(%r9),_TIF_SYSCALL_TRACE + tm __TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) bno BASED(sysc_return) l %r1,BASED(.Ltrace) + la %r2,SP_PTREGS(%r15) # load pt_regs + la %r3,1 la %r14,BASED(sysc_return) br %r1 @@ -502,7 +506,7 @@ pgm_svcper: lr %r7,%r1 # copy svc number to %r7 sla %r7,2 # *4 pgm_svcstd: - tm __TI_flags+3(%r9),_TIF_SYSCALL_TRACE + tm __TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) l %r8,sys_call_table-system_call(%r7,%r13) # get system call addr. bo BASED(pgm_tracesys) basr %r14,%r8 # call sys_xxxx @@ -529,6 +533,8 @@ pgm_svcper_nosig: # pgm_tracesys: l %r1,BASED(.Ltrace) + la %r2,SP_PTREGS(%r15) # load pt_regs + la %r3,0 srl %r7,2 st %r7,SP_R2(%r15) basr %r14,%r1 @@ -543,9 +549,11 @@ pgm_svc_go: basr %r14,%r8 # call sys_xxx st %r2,SP_R2(%r15) # store return value pgm_svc_nogo: - tm __TI_flags+3(%r9),_TIF_SYSCALL_TRACE + tm __TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT) bno BASED(pgm_svcret) l %r1,BASED(.Ltrace) + la %r2,SP_PTREGS(%r15) # load pt_regs + la %r3,1 la %r14,BASED(pgm_svcret) br %r1 diff -puN arch/s390/kernel/ptrace.c~light-weight-auditing-framework-for-s390 arch/s390/kernel/ptrace.c --- 25/arch/s390/kernel/ptrace.c~light-weight-auditing-framework-for-s390 2004-04-14 18:37:52.717999904 -0700 +++ 25-akpm/arch/s390/kernel/ptrace.c 2004-04-14 18:37:52.724998840 -0700 @@ -690,8 +690,16 @@ out: } asmlinkage void -syscall_trace(void) +syscall_trace(struct pt_regs *regs, int entryexit) { + if (unlikely(current->audit_context)) { + if (!entryexit) + audit_syscall_entry(current, regs->gprs[2], + regs->orig_gpr2, regs->gprs[3], + regs->gprs[4], regs->gprs[5]); + else + audit_syscall_exit(current, regs->gprs[2]); + } if (!test_thread_flag(TIF_SYSCALL_TRACE)) return; if (!(current->ptrace & PT_PTRACED)) diff -puN include/asm-s390/thread_info.h~light-weight-auditing-framework-for-s390 include/asm-s390/thread_info.h --- 25/include/asm-s390/thread_info.h~light-weight-auditing-framework-for-s390 2004-04-14 18:37:52.719999600 -0700 +++ 25-akpm/include/asm-s390/thread_info.h 2004-04-14 18:37:52.725998688 -0700 @@ -84,6 +84,7 @@ static inline struct thread_info *curren #define TIF_SIGPENDING 2 /* signal pending */ #define TIF_NEED_RESCHED 3 /* rescheduling necessary */ #define TIF_RESTART_SVC 4 /* restart svc with new svc number */ +#define TIF_SYSCALL_AUDIT 5 /* syscall auditing active */ #define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */ #define TIF_POLLING_NRFLAG 17 /* true if poll_idle() is polling TIF_NEED_RESCHED */ @@ -94,6 +95,7 @@ static inline struct thread_info *curren #define _TIF_SIGPENDING (1<