Re: Decoding arguments passed to system calls
On Tuesday 03 July 2007 10:38:05 am Stephen Smalley wrote:
One caveat though - auditing of write() won't catch all possible
ways of
modifying the file data, e.g. one could mmap() the file with MAP_SHARED
and then write to the memory, followed by msync or munmap.
Agreed. And another gotcha is programs that could pass a descriptor across
af_unix sockets where it is then mmap'ed. There is also sendfile which could
send the file away to be viewed by other people and there is splice() &
tee(2). Don't forget the *at() syscalls, too. IOW, I think the problem is
trickier than it might initially appear.
Based on your requirements, you might want to consider putting in place some
SE Linux policy to control the different ways that a file can be accessed to
keep apps honest. Then you don't need to worry about all the sneak paths that
could subvert the audit system.
-Steve