On Fri, Jun 24, 2016 at 11:20 AM, Heiko Carstens <heiko.carstens@xxxxxxxxxx> wrote: > On Fri, Jun 24, 2016 at 11:05:33AM -0400, Paul Moore wrote: >> My immediate concern is making sure that we are at least recording the >> arguments correctly in the audit record. My simple tests look okay, >> but as I said before, I'm far from a s390 expert and your initial >> comment made it sound like there were still problems with how we were >> recording the arguments. Can you either confirm that we are logging >> the arguments correctly, or provide a suggestion on how to get the >> right values? That would be most helpful at this point. > > The arguments are correct, except that they are missing sign and zero > extension to full 64 bit. However I would expect that the audit subsystem > will only work on the lower 32 bits anyway for compat tasks. So that > shouldn't be a problem. Yes, that should be fine. We were seeing problems with s390 syscalls on s390x showing garbage in the high 32-bits, that's the problem I'm trying to solve. For example, here is a snippet of an audit record generated from calling the s390 socketcall() on a s390x system: type=SYSCALL msg=audit(1458835510.860:652): arch=16 syscall=102 success=yes exit=21 a0=ffffffff0000000b a1=3ff7f82e3c0 a2=3ff00000000 a3=a72028 > I'm a bit concerned about user space pointers passed as argument for compat > tasks. These need to mask out 33 instead of 32 bits. This is of course > system call specific and I don't know enough about audit to tell if it > could be a problem. >From a practical point of view I'm not sure how much of an impact that will have as it is unlikely anyone will be doing anything useful with those pointer values; for example, you aren't going to be inspecting a process' memory space using just the audit log. Also, at the very least we aren't removing any information, just adding in an extra bit of potential junk. Anyone who does care about user space pointers in the audit log, should have all the information the need to drop the high bit. Does that sound reasonable? -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe linux-next" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
