Standard Hooks

Although it is sufficient to record only entry and exit for most system calls, some can provide more information to the audit subsystem. Section 19.3.1 mentioned that the audit context provides the capability to store auxiliary data — this is used by several system calls. Since the method to realize this is nearly identical for all cases, only sys_socketcall is shown as an example here. The following hook function is used to allocate and fill in the auxiliary data:

kernel/auditsc.c int audit_socketcall(int nargs, unsigned long *args) {

struct audit_aux_data_socketcall *ax;

struct audit_context *context = current->audit_context;

if (likely(!context || context->dummy)) return 0;

ax = kmalloc(sizeof(*ax) + nargs * sizeof(unsigned long), GFP_KERNEL); ax->nargs = nargs;

memcpy(ax->args, args, nargs * sizeof(unsigned long));

ax->d.type = AUDIT_SOCKETCALL; ax->d.next = context->aux; context->aux = (void *)ax; return 0;

If auditing system calls is disabled, then no audit context is allocated, so the routine can exit immediately. Otherwise, an auxiliary context is added to the audit context.

Every time sys_socketcall is invoked, it calls audit_socketcall as follows:

net/socket.c asmlinkage long sys_socketcall(int call, unsigned long _user *args)

err = audit_socketcall(nargs[call]/sizeof(unsigned long), a);

The remaining parts of sys_socketcall can use the auxiliary context to store specific socket-related information that will be passed to the audit userspace tools.

Continue reading here: Summary

Was this article helpful?

0 0