--=_courier-11792-1052585526-0001-2
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Sat, 2003-05-10 at 16:38, Ahmed Masud wrote:
> Case in point, I wrote a security module for Linux that overrides _all_
> 237 systemcalls to audit and control the use of the system calls on a per
> uid basis. (i.e. if the user was actually allowed to make the system cal=
l
> or not) and return -EPERM or jump to system call proper.
I'm pretty sure that auditing by your module can easily be avoided.
examle: pseudocode for the unlink syscall
long your_wrapped_syscall(char *userfilename)
{
char kernelpointer[something];
copy_from_user(kernelpointer, usefilename, ...);
audit_log(kernelpointer);
return original_syscall(userfilename);
}
now.... the original syscall does ANOTHER copy_from_user().
Eg I can easily fool your logging by having a second thread change the
filename between the time your code copies it and the time the original
syscall copies it again. The chances of getting the timing right are 50%
at least (been there done that ;)
The only solution for this is to check/audit/log things after the ONE
copy. Eg not by overriding the syscall but inside the syscall.
--=_courier-11792-1052585526-0001-2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQA+vS3WxULwo51rQBIRAnDuAKCAxz6+9DXu56TUXU+Z7Awv17joHwCfVY3I
tKJdOaaAma7KsFk/uia/p/0=
=u0CR
-----END PGP SIGNATURE-----
--=_courier-11792-1052585526-0001-2--