[AUDIT] Log correct syscall args for i386 processes on x86_64
The i386 syscall ABI uses different registers. Log those instead of the x86_64 ones. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
This commit is contained in:
parent
0dd8e06bda
commit
488f2eaca1
1 changed files with 13 additions and 7 deletions
|
@ -630,8 +630,6 @@ static void syscall_trace(struct pt_regs *regs)
|
|||
}
|
||||
}
|
||||
|
||||
#define audit_arch() (test_thread_flag(TIF_IA32) ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64)
|
||||
|
||||
asmlinkage void syscall_trace_enter(struct pt_regs *regs)
|
||||
{
|
||||
/* do the secure computing check first */
|
||||
|
@ -641,11 +639,19 @@ asmlinkage void syscall_trace_enter(struct pt_regs *regs)
|
|||
&& (current->ptrace & PT_PTRACED))
|
||||
syscall_trace(regs);
|
||||
|
||||
if (unlikely(current->audit_context))
|
||||
audit_syscall_entry(current, audit_arch(), regs->orig_rax,
|
||||
regs->rdi, regs->rsi,
|
||||
regs->rdx, regs->r10);
|
||||
|
||||
if (unlikely(current->audit_context)) {
|
||||
if (test_thread_flag(TIF_IA32)) {
|
||||
audit_syscall_entry(current, AUDIT_ARCH_I386,
|
||||
regs->orig_rax,
|
||||
regs->rbx, regs->rcx,
|
||||
regs->rdx, regs->rsi);
|
||||
} else {
|
||||
audit_syscall_entry(current, AUDIT_ARCH_X86_64,
|
||||
regs->orig_rax,
|
||||
regs->rdi, regs->rsi,
|
||||
regs->rdx, regs->r10);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
asmlinkage void syscall_trace_leave(struct pt_regs *regs)
|
||||
|
|
Loading…
Reference in a new issue