git.baikalelectronics.ru Git - kernel.git/commit

author	Kees Cook <keescook@chromium.org>
	Sat, 12 Sep 2020 00:58:26 +0000 (17:58 -0700)
committer	Thomas Gleixner <tglx@linutronix.de>
	Mon, 14 Sep 2020 20:49:51 +0000 (22:49 +0200)
commit	11b1e5d176de305644fd6481ffcd2b8733ccef21
tree	1834572ed83f3acea4ef95b18244b3fd78512760	tree \| snapshot
parent	490b1f9d3b599ea255de59eeb320d58c1220e31c	commit \| diff

core/entry: Report syscall correctly for trace and audit

On v5.8 when doing seccomp syscall rewrites (e.g. getpid into getppid
as seen in the seccomp selftests), trace (and audit) correctly see the
rewritten syscall on entry and exit:

seccomp_bpf-1307  [000] .... 22974.874393: sys_enter: NR 110 (...
seccomp_bpf-1307  [000] .N.. 22974.874401: sys_exit: NR 110 = 1304

With mainline we see a mismatched enter and exit (the original syscall
is incorrectly visible on entry):

seccomp_bpf-1030  [000] ....    21.806766: sys_enter: NR 39 (...
seccomp_bpf-1030  [000] ....    21.806767: sys_exit: NR 110 = 1027

When ptrace or seccomp change the syscall, this needs to be visible to
trace and audit at that time as well. Update the syscall earlier so they
see the correct value.

Fixes: 3d67ecb7c0b4 ("core/entry: Respect syscall number rewrites")
Reported-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20200912005826.586171-1-keescook@chromium.org