32bit and 64bit syscall issues
Chris Wright
chrisw at osdl.org
Sat Mar 12 01:24:02 UTC 2005
* Debora Velarde (dvelarde at us.ibm.com) wrote:
> Our current audit solution has some problems when a user tries to audit
> 32bit syscalls on x86_64 systems. (This is a CAPP requirement.)
> Most of the problems are due to the fact that there are two unistd.h files
> on x86_64 systems.
> 64bit syscalls are defined in /usr/include/asm-x86_64/unistd.h
> 32bit syscalls are defined in /usr/include/asm-i386/unistd.h
> In these two files, the syscall numbers assigned to syscall names are not
> the same.
> For example:
> From /usr/include/asm-i386/unistd.h:
> #define __NR_fork 2
> #define __NR_open 5
> From /usr/include/asm-x86_64/unistd.h:
> #define __NR_open 2
> #define __NR_fstat 5
Yes, we've touched on this a few times on calls.
> ---------------
> Problem 1:
> "auditctl -t" always translates numbers to name based on
> /usr/include/asm-x86_64/unistd.h
> (When compiled in 64bit mode on a 64bit system).
>
> Possible Solution 1:
> Modify /usr/include/asm-i386/unistd.h and /usr/include/asm-x86_64/unistd.h
> so that the 32bit and the 64bit syscall number of any syscall are the same
> number.
This is an absolute no-go. That would _seriously_ break any notion of
binary compatibility. So, the syscall numbers per-arch can't change,
> Possible Solution 2:
> Modify auditctl to return both 32bit and 64bit syscall names associated
> with that number. This will require a change in how Steve creates his
> table.
> Example:
> auditctl -t 2
> Would Return:
> 32bit: fork
> 64bit: open
>
> Possible Solution 3:
> Modify auditctl -t option to require an additional flag indicating whether
> the 32bit or the 64bit syscall number should be returned. Could possibly
> use the "-F pers=" flag.
This makes most sense.
> ---------------
> Problem 2:
> "audictl -a" rule also always translates numbers to the syscall name found
> in /usr/include/asm-x86_64/unistd.h
Even with pers flag?
> Possible Solution 1:
> Modify /usr/include/asm-i386/unistd.h and /usr/include/asm-x86_64/unistd.h
> so that the 32bit and the 64bit syscall number of any syscall are the same
> number.
Heh, see above.
> Possible Solution 2:
> auditctl -a <l,a> -S <syscall name> should require additional flag
> indicating if 32bit, 64bit, or both syscalls should be audited. Could
> possibly use the "pers" flag, assuming personality can determine if a
> syscall was compiled 32bit or 64bit.
> Then audit rule(s) can be added for the correct syscall number(s).
> auditctl -A, and auditctl -d rules would also need to be changed.
>
> ---------------
> Problem 3:
> Personality is currently always 0 by default. We can NOT assume that an
> application will manually set personality to another number. Therefore we
> cannot currently use the "pers" flag to determine if a syscall was executed
> from a 32bit or a 64bit compiled program.
What does this mean? It's the ELF headers that will describe how the
program is treated. What am I missing?
> Possible Solution 1:
> Modify /usr/include/asm-i386/unistd.h and /usr/include/asm-x86_64/unistd.h
> so that the 32bit and the 64bit syscall number of any syscall are the same
> number.
> Then we would not need to filter on "pers" flag.
Again, no chance.
> Possible Solution 2:
> Fix personality so that it determines from the binary whether it was 32bit
> or 64bit.
What does this mean?
> ---------------
> Problem 4:
> Audit record does not indicate if a 32bit or a 64bit syscall was executed.
> Because of this, you are unable to determine which syscall resulted in an
> audit record.
> For example, we cannot currently determine if a record with "syscall=2"
> resulted from an __NR_open call (compiled 64bit) or a __NR_fork call
> (compiled 32bit) because
> From /usr/include/asm-i386/unistd.h:
> #define __NR_fork 2
> From /usr/include/asm-x86_64/unistd.h:
> #define __NR_open 2
>
> Possible Solution 1:
> Modify /usr/include/asm-i386/unistd.h and /usr/include/asm-x86_64/unistd.h
> so that the 32bit and the 64bit syscall number of any syscall are the same
> number.
Again, no chance.
> Possible Solution 2:
> Fix 'pers' flag so that it can determine if it was a 32bit or 64bit
> syscall. Currently 'pers' flag is included in the audit record if
> 'pers'!=0.
Is it not legit to assume native binary unless otherwise indicated?
> ---------------
> Problem 5:
> Some syscalls are not defined in either unistd.h file. Therefore, auditctl
> -t is not able to translate the syscall number to a syscall name. This is
> a usability problem for administrators.
Do you have examples?
> Possible Solution 1:
> Add these other syscalls (found in Klaus' syscalltab file, but not in
> unistd.h).
>
> Possible Solution 2:
> Include an additional header file containing these other syscalls (found in
> Klaus' syscalltab file, but not in unistd.h) along with audit, so that
> audictl is able to translate those syscall numbers to name.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list