audit: Migrate to use SYSCALL_WORK flag

 * @regs:	task_pt_regs() of @task

 *

 * It's only valid to call this when @task is stopped for system

 * call exit tracing (due to %SYSCALL_WORK_SYSCALL_TRACE or TIF_SYSCALL_AUDIT),

 * after tracehook_report_syscall_entry() returned nonzero to prevent

 * the system call from taking place.

 * call exit tracing (due to %SYSCALL_WORK_SYSCALL_TRACE or

 * %SYSCALL_WORK_SYSCALL_AUDIT), after tracehook_report_syscall_entry()

 * returned nonzero to prevent the system call from taking place.

 *

 * This rolls back the register state in @regs so it's as if the

 * system call instruction was a no-op.  The registers containing

 * Returns 0 if the system call succeeded, or -ERRORCODE if it failed.

 *

 * It's only valid to call this when @task is stopped for tracing on exit

 * from a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT.

 * from a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or

 * %SYSCALL_WORK_SYSCALL_AUDIT.

 */

long syscall_get_error(struct task_struct *task, struct pt_regs *regs);

 * This value is meaningless if syscall_get_error() returned nonzero.

 *

 * It's only valid to call this when @task is stopped for tracing on exit

 * from a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT.

 * from a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or

 * %SYSCALL_WORK_SYSCALL_AUDIT.

 */

long syscall_get_return_value(struct task_struct *task, struct pt_regs *regs);

 * code; the user sees a failed system call with this errno code.

 *

 * It's only valid to call this when @task is stopped for tracing on exit

 * from a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT.

 * from a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or

 * %SYSCALL_WORK_SYSCALL_AUDIT.

 */

void syscall_set_return_value(struct task_struct *task, struct pt_regs *regs,

			      int error, long val);

*  @args[0], and so on.

 *

 * It's only valid to call this when @task is stopped for tracing on

 * entry to a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT.

 * entry to a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or

 * %SYSCALL_WORK_SYSCALL_AUDIT.

 */

void syscall_get_arguments(struct task_struct *task, struct pt_regs *regs,

			   unsigned long *args);

 * The first argument gets value @args[0], and so on.

 *

 * It's only valid to call this when @task is stopped for tracing on

 * entry to a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or %TIF_SYSCALL_AUDIT.

 * entry to a system call, due to %SYSCALL_WORK_SYSCALL_TRACE or

 * %SYSCALL_WORK_SYSCALL_AUDIT.

 */

void syscall_set_arguments(struct task_struct *task, struct pt_regs *regs,

			   const unsigned long *args);

 * Returns the AUDIT_ARCH_* based on the system call convention in use.

 *

 * It's only valid to call this when @task is stopped on entry to a system

 * call, due to %SYSCALL_WORK_SYSCALL_TRACE, %TIF_SYSCALL_AUDIT, or

 * call, due to %SYSCALL_WORK_SYSCALL_TRACE, %SYSCALL_WORK_SYSCALL_AUDIT, or

 * %SYSCALL_WORK_SECCOMP.

 *

 * Architectures which permit CONFIG_HAVE_ARCH_SECCOMP_FILTER must

 * Define dummy _TIF work flags if not defined by the architecture or for

 * disabled functionality.

 */

#ifndef _TIF_SYSCALL_AUDIT

# define _TIF_SYSCALL_AUDIT		(0)

#endif

#ifndef _TIF_PATCH_PENDING

# define _TIF_PATCH_PENDING		(0)

#endif

# define ARCH_SYSCALL_ENTER_WORK	(0)

#endif

#define SYSCALL_ENTER_WORK						\

	(_TIF_SYSCALL_AUDIT  |						\

	 ARCH_SYSCALL_ENTER_WORK)

#define SYSCALL_ENTER_WORK ARCH_SYSCALL_ENTER_WORK

/*

 * TIF flags handled in syscall_exit_to_user_mode()

# define ARCH_SYSCALL_EXIT_WORK		(0)

#endif

#define SYSCALL_EXIT_WORK						\

	(_TIF_SYSCALL_AUDIT |						\

	 ARCH_SYSCALL_EXIT_WORK)

#define SYSCALL_EXIT_WORK ARCH_SYSCALL_EXIT_WORK

#define SYSCALL_WORK_ENTER	(SYSCALL_WORK_SECCOMP |			\

				 SYSCALL_WORK_SYSCALL_TRACEPOINT |	\

				 SYSCALL_WORK_SYSCALL_TRACE |		\

				 SYSCALL_WORK_SYSCALL_EMU)

				 SYSCALL_WORK_SYSCALL_EMU |		\

				 SYSCALL_WORK_SYSCALL_AUDIT)

#define SYSCALL_WORK_EXIT	(SYSCALL_WORK_SYSCALL_TRACEPOINT |	\

				 SYSCALL_WORK_SYSCALL_TRACE)

				 SYSCALL_WORK_SYSCALL_TRACE |		\

				 SYSCALL_WORK_SYSCALL_AUDIT)

/*

 * TIF flags handled in exit_to_user_mode_loop()

	SYSCALL_WORK_BIT_SYSCALL_TRACEPOINT,

	SYSCALL_WORK_BIT_SYSCALL_TRACE,

	SYSCALL_WORK_BIT_SYSCALL_EMU,

	SYSCALL_WORK_BIT_SYSCALL_AUDIT,

};

#define SYSCALL_WORK_SECCOMP		BIT(SYSCALL_WORK_BIT_SECCOMP)

#define SYSCALL_WORK_SYSCALL_TRACEPOINT	BIT(SYSCALL_WORK_BIT_SYSCALL_TRACEPOINT)

#define SYSCALL_WORK_SYSCALL_TRACE	BIT(SYSCALL_WORK_BIT_SYSCALL_TRACE)

#define SYSCALL_WORK_SYSCALL_EMU	BIT(SYSCALL_WORK_BIT_SYSCALL_EMU)

#define SYSCALL_WORK_SYSCALL_AUDIT	BIT(SYSCALL_WORK_BIT_SYSCALL_AUDIT)

#include <asm/thread_info.h>

	state = audit_filter_task(tsk, &key);

	if (state == AUDIT_DISABLED) {

		clear_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);

		clear_task_syscall_work(tsk, SYSCALL_AUDIT);

		return 0;

	}

	context->filterkey = key;

	audit_set_context(tsk, context);

	set_tsk_thread_flag(tsk, TIF_SYSCALL_AUDIT);

	set_task_syscall_work(tsk, SYSCALL_AUDIT);

	return 0;

}