Skip to content

Commit 3adebe6

Browse files
andrewkrohandrewkroh
authored
Handle ppc64 and ppc64le syscall lookups (#72)
ppc64 and ppc64le use the same syscall table as ppc. But we were missing an entry in the syscall table for these two architectures so lookups would fail if you tried to install an audit rule with `-F arch=ppc64le` or if go-libaudit tried to enrich messages with the syscall names while running on those arches.
1 parent 2430e8c commit 3adebe6

File tree

5 files changed

+46
-1
lines changed

5 files changed

+46
-1
lines changed

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
99

1010
### Changed
1111

12+
- Fixed syscall lookup for ppc64 and ppc64le. [#71](https://github.com/elastic/go-libaudit/pull/71)
13+
1214
### Removed
1315

1416
### Deprecated

auparse/mk_audit_syscalls.pl

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,4 +100,14 @@ package auparse
100100
print <<EOF;
101101
}
102102
103+
func init() {
104+
// Add "aliases" to ppc for ppc64 and ppc64le. They share the same tables.
105+
ppcTable, found := AuditSyscalls["ppc"]
106+
if !found {
107+
panic("missing ppc syscall table")
108+
}
109+
AuditSyscalls["ppc64"] = ppcTable
110+
AuditSyscalls["ppc64le"] = ppcTable
111+
}
112+
103113
EOF

auparse/zaudit_arches.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

auparse/zaudit_syscalls.go

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

rule/rule_test.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,19 @@ func TestAddSyscall(t *testing.T) {
133133
assert.EqualValues(t, openSyscallNum, rule.syscalls[0])
134134
}
135135
})
136+
137+
t.Run("open", func(t *testing.T) {
138+
rule := &ruleData{
139+
arch: "ppc64le",
140+
}
141+
if err := addSyscall(rule, "open"); err != nil {
142+
t.Fatal(err)
143+
}
144+
if assert.Len(t, rule.syscalls, 1) {
145+
const openSyscallNum = 5
146+
assert.EqualValues(t, openSyscallNum, rule.syscalls[0])
147+
}
148+
})
136149
}
137150

138151
func TestAddFilter(t *testing.T) {
@@ -335,6 +348,16 @@ func TestAddFilter(t *testing.T) {
335348
assert.EqualValues(t, auparse.AUDIT_ARCH_X86_64, rule.values[0])
336349
})
337350

351+
t.Run("arch_ppc64le", func(t *testing.T) {
352+
rule := &ruleData{}
353+
if err := addFilter(rule, "arch", "=", "ppc64le"); err != nil {
354+
t.Fatalf("%+v", err)
355+
}
356+
assert.EqualValues(t, archField, rule.fields[0])
357+
assert.EqualValues(t, equalOperator, rule.fieldFlags[0])
358+
assert.EqualValues(t, auparse.AUDIT_ARCH_PPC64LE, rule.values[0])
359+
})
360+
338361
t.Run("perm", func(t *testing.T) {
339362
rule := &ruleData{flags: exitFilter}
340363
if err := addFilter(rule, "perm", "=", "wa"); err != nil {

0 commit comments

Comments
 (0)