If you use the ptrace hooks, you want to audit after the ptrace hook
on entry, and _before_ calling the hook on exit.
On Thu, Mar 17, 2005 at 03:37:27PM +0000, David Woodhouse wrote:
There is also a potential race condition where the argument is
actually
a pointer to userspace memory -- for auditing purposes we _must_ use the
copy which we get from userspace at the time we perform the syscall, not
copy it in from userspace in audit_syscall_entry(). I don't think we
currently have problems with this -- both the IPC code and getname() are
doing this correctly -- but it's worth pointing out to avoid mistakes in
future.
Yes, that is actually an interesting challenge, and we added a lot of
very ugly code to prevent that in our audit implementation. It worked,
but I am not 100% confident it is entirely deadlock free.
This sort of thing gets really interesting when you deal with ioctls.
Some syscall tracking implementations simply used to copy the arguments
to some temporary memory and did a setfs(KERNEL_DS) but that doesn't
work (well it works, but it creates serious security problems if you
think of ioctls that pass pointers to pointers).
This is the main reason why we changed our audit implementation from
using the trace to picking up the arguments directly inside the kernel
functions we wanted to audit.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir(a)suse.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax