Re: The disappearing sys_call_table export.

Chuck Ebbert (76306.1226@compuserve.com)
Sat, 10 May 2003 15:32:00 -0400


Arjan van de Ven wrote:

> I'm pretty sure that auditing by your module can easily be avoided.
>
> examle: pseudocode for the unlink syscall
>
> long your_wrapped_syscall(char *userfilename)
> {
> char kernelpointer[something];
> copy_from_user(kernelpointer, usefilename, ...);
> audit_log(kernelpointer);
> return original_syscall(userfilename);
> }

Great, now how do you plan to get that code loaded into memory on
my configuration? (no modules, /dev/kmem unwriteable) (or ipd driver
loaded on NT/2K)

> The only solution for this is to check/audit/log things after the ONE
> copy. Eg not by overriding the syscall but inside the syscall.

If I can alter kernel memory I can patch out your auditing code.
It's just more difficult if you try to hide it inside the syscall. :)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/