[apparmor] Possible to record userland EIP/RIP (instruction pointer) in audit logs?

[John Johansen]

On 03/14/2012 02:21 PM, Number Six wrote:
> Hello,
> 
> This may seem like a strange request, but I have urgent need to be able
> to extract the userland EIP/RIP associated with AppArmor syscall audit
> events on Ubuntu 11.04.
> 
> I am dealing with a possible exploit that seems to irregularly attempt
> to execute a series of suspicious system calls, and I'd like to try to
> dive in with gdb to see what is really going on.
> 
> I've dug around trying to intercept the system calls in gdb, but either
> the exploit is failure-prone, or something else is blocking easy
> reproduction of the audit events.
> 
have you tried strace?  You should be able to correlate syscall failures
with apparmor denied messages

Of course it is based off of ptrace like gdb so, if gdb is not working
for you it may not either, but it is worth a try

> Is there any way to log userland EIP/RIP for audit messages? It seems
> like the syscall arguments and memory pointers get logged in a0-3, but
> not EIP/RIP...
> 
This might be possible through auditd I will have to check which parameters
can be audited.

Another possibility is ftrace or ltt-ng

> I'd be willing to test out a patch if that's what it takes.
>
that is a possibility but I would like to look at the more generic solutions
first.

sorry I am not aware how to do it with them of the top of my head