[PATCH] light-weight auditing framework for s390.

From: Martin Schwidefsky <schwidefsky@de.ibm.com>

This patch adds the TIF_SYSCALL_AUDIT option to the s390 ptrace interface.

arch/s390/kernel/entry.S

@@ -235,7 +235,7 @@ sysc_enter:
 	lr	%r7,%r1           # copy svc number to %r7
 	sla	%r7,2             # *4
 sysc_do_restart:
-	tm	__TI_flags+3(%r9),_TIF_SYSCALL_TRACE
+	tm	__TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT)
         l       %r8,sys_call_table-system_call(%r7,%r13) # get system call addr.
         bo      BASED(sysc_tracesys)
         basr    %r14,%r8          # call sys_xxxx
@@ -309,6 +309,8 @@ __critical_end:
 #
 sysc_tracesys:
         l       %r1,BASED(.Ltrace)
+	la	%r2,SP_PTREGS(%r15)    # load pt_regs
+	la	%r3,0
 	srl	%r7,2
 	st	%r7,SP_R2(%r15)
 	basr	%r14,%r1
@@ -323,9 +325,11 @@ sysc_tracego:
 	basr	%r14,%r8          # call sys_xxx
 	st	%r2,SP_R2(%r15)   # store return value
 sysc_tracenogo:
-	tm	__TI_flags+3(%r9),_TIF_SYSCALL_TRACE
+	tm	__TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT)
         bno     BASED(sysc_return)
 	l	%r1,BASED(.Ltrace)
+	la	%r2,SP_PTREGS(%r15)    # load pt_regs
+	la	%r3,1
 	la	%r14,BASED(sysc_return)
 	br	%r1
 
@@ -502,7 +506,7 @@ pgm_svcper:
 	lr	%r7,%r1           # copy svc number to %r7
 	sla	%r7,2             # *4
 pgm_svcstd:
-	tm	__TI_flags+3(%r9),_TIF_SYSCALL_TRACE
+	tm	__TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT)
         l       %r8,sys_call_table-system_call(%r7,%r13) # get system call addr.
         bo      BASED(pgm_tracesys)
         basr    %r14,%r8          # call sys_xxxx
@@ -529,6 +533,8 @@ pgm_svcper_nosig:
 #
 pgm_tracesys:
         l       %r1,BASED(.Ltrace)
+	la	%r2,SP_PTREGS(%r15)    # load pt_regs
+	la	%r3,0
 	srl	%r7,2
 	st	%r7,SP_R2(%r15)
         basr    %r14,%r1
@@ -543,9 +549,11 @@ pgm_svc_go:
         basr    %r14,%r8          # call sys_xxx
         st      %r2,SP_R2(%r15)   # store return value
 pgm_svc_nogo:
-	tm	__TI_flags+3(%r9),_TIF_SYSCALL_TRACE
+	tm	__TI_flags+3(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT)
         bno     BASED(pgm_svcret)
         l       %r1,BASED(.Ltrace)
+	la	%r2,SP_PTREGS(%r15)    # load pt_regs
+	la	%r3,1
 	la	%r14,BASED(pgm_svcret)
         br      %r1
 

arch/s390/kernel/entry64.S

@@ -227,7 +227,7 @@ sysc_do_restart:
 	larl    %r10,sys_call_table_emu  # use 31 bit emulation system calls
 sysc_noemu:
 #endif
-	tm	__TI_flags+7(%r9),_TIF_SYSCALL_TRACE
+	tm	__TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT)
         lgf     %r8,0(%r7,%r10)   # load address of system call routine
         jo      sysc_tracesys
         basr    %r14,%r8          # call sys_xxxx
@@ -299,6 +299,8 @@ __critical_end:
 # special linkage: %r12 contains the return address for trace_svc
 #
 sysc_tracesys:
+	la	%r2,SP_PTREGS(%r15)    # load pt_regs
+	la	%r3,0
 	srl	%r7,2
 	stg     %r7,SP_R2(%r15)
         brasl   %r14,syscall_trace
@@ -314,8 +316,10 @@ sysc_tracego:
         basr    %r14,%r8            # call sys_xxx
         stg     %r2,SP_R2(%r15)     # store return value
 sysc_tracenogo:
-	tm	__TI_flags+7(%r9),_TIF_SYSCALL_TRACE
+	tm	__TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT)
         jno     sysc_return
+	la	%r2,SP_PTREGS(%r15)    # load pt_regs
+	la	%r3,1
 	larl	%r14,sysc_return    # return point is sysc_return
 	jg	syscall_trace
 
@@ -541,7 +545,7 @@ pgm_svcstd:
 	larl    %r10,sys_call_table_emu # use 31 bit emulation system calls
 pgm_svcper_noemu:
 #endif
-	tm	__TI_flags+7(%r9),_TIF_SYSCALL_TRACE
+	tm	__TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT)
         lgf     %r8,0(%r7,%r10)   # load address of system call routine
         jo      pgm_tracesys
         basr    %r14,%r8          # call sys_xxxx
@@ -566,6 +570,8 @@ pgm_svcper_nosig:
 # call trace before and after sys_call
 #
 pgm_tracesys:
+	la	%r2,SP_PTREGS(%r15)    # load pt_regs
+	la	%r3,0
 	srlg	%r7,%r7,2
 	stg	%r7,SP_R2(%r15)
         brasl   %r14,syscall_trace
@@ -581,8 +587,10 @@ pgm_svc_go:
         basr    %r14,%r8            # call sys_xxx
         stg     %r2,SP_R2(%r15)     # store return value
 pgm_svc_nogo:
-	tm	__TI_flags+7(%r9),_TIF_SYSCALL_TRACE
+	tm	__TI_flags+7(%r9),(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT)
         jno     pgm_svcret
+	la	%r2,SP_PTREGS(%r15)    # load pt_regs
+	la	%r3,1
 	larl	%r14,pgm_svcret     # return point is sysc_return
 	jg	syscall_trace
 

arch/s390/kernel/ptrace.c

@@ -690,8 +690,16 @@ sys_ptrace(long request, long pid, long addr, long data)
 }
 
 asmlinkage void
-syscall_trace(void)
+syscall_trace(struct pt_regs *regs, int entryexit)
 {
+	if (unlikely(current->audit_context)) {
+		if (!entryexit)
+			audit_syscall_entry(current, regs->gprs[2],
+					    regs->orig_gpr2, regs->gprs[3],
+					    regs->gprs[4], regs->gprs[5]);
+		else
+			audit_syscall_exit(current, regs->gprs[2]);
+	}
 	if (!test_thread_flag(TIF_SYSCALL_TRACE))
 		return;
 	if (!(current->ptrace & PT_PTRACED))

include/asm-s390/thread_info.h

@@ -84,6 +84,7 @@ static inline struct thread_info *current_thread_info(void)
 #define TIF_SIGPENDING		2	/* signal pending */
 #define TIF_NEED_RESCHED	3	/* rescheduling necessary */
 #define TIF_RESTART_SVC		4	/* restart svc with new svc number */
+#define TIF_SYSCALL_AUDIT	5	/* syscall auditing active */
 #define TIF_USEDFPU		16	/* FPU was used by this task this quantum (SMP) */
 #define TIF_POLLING_NRFLAG	17	/* true if poll_idle() is polling 
 					   TIF_NEED_RESCHED */
@@ -94,6 +95,7 @@ static inline struct thread_info *current_thread_info(void)
 #define _TIF_SIGPENDING		(1<<TIF_SIGPENDING)
 #define _TIF_NEED_RESCHED	(1<<TIF_NEED_RESCHED)
 #define _TIF_RESTART_SVC	(1<<TIF_RESTART_SVC)
+#define _TIF_SYSCALL_AUDIT	(1<<TIF_SYSCALL_AUDIT)
 #define _TIF_USEDFPU		(1<<TIF_USEDFPU)
 #define _TIF_POLLING_NRFLAG	(1<<TIF_POLLING_NRFLAG)
 #define _TIF_31BIT		(1<<TIF_31BIT)