Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S264438AbTEJQis (ORCPT ); Sat, 10 May 2003 12:38:48 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S264442AbTEJQis (ORCPT ); Sat, 10 May 2003 12:38:48 -0400 Received: from node-d-1ea6.a2000.nl ([62.195.30.166]:29167 "EHLO laptop.fenrus.com") by vger.kernel.org with ESMTP id S264438AbTEJQiq (ORCPT ); Sat, 10 May 2003 12:38:46 -0400 Subject: Re: The disappearing sys_call_table export. From: Arjan van de Ven Reply-To: arjanv@redhat.com To: Ahmed Masud Cc: Alan Cox , Jesse Pollard , Chuck Ebbert <76306.1226@compuserve.com>, "viro@parcelfarce.linux.theplanet.co.uk" , Linux Kernel Mailing List , Terje Eggestad In-Reply-To: References: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-gi6MXystPIu2yI4+K/5M" Organization: Red Hat, Inc. Message-Id: <1052585430.1367.6.camel@laptop.fenrus.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 (1.2.4-2) Date: 10 May 2003 18:50:31 +0200 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1811 Lines: 52 --=-gi6MXystPIu2yI4+K/5M Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2003-05-10 at 16:38, Ahmed Masud wrote: > Case in point, I wrote a security module for Linux that overrides _all_ > 237 systemcalls to audit and control the use of the system calls on a per > uid basis. (i.e. if the user was actually allowed to make the system cal= l > or not) and return -EPERM or jump to system call proper. I'm pretty sure that auditing by your module can easily be avoided. examle: pseudocode for the unlink syscall long your_wrapped_syscall(char *userfilename) { char kernelpointer[something]; copy_from_user(kernelpointer, usefilename, ...); audit_log(kernelpointer); return original_syscall(userfilename); } now.... the original syscall does ANOTHER copy_from_user(). Eg I can easily fool your logging by having a second thread change the filename between the time your code copies it and the time the original syscall copies it again. The chances of getting the timing right are 50% at least (been there done that ;) The only solution for this is to check/audit/log things after the ONE copy. Eg not by overriding the syscall but inside the syscall. --=-gi6MXystPIu2yI4+K/5M Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA+vS3WxULwo51rQBIRAnDuAKCAxz6+9DXu56TUXU+Z7Awv17joHwCfVY3I tKJdOaaAma7KsFk/uia/p/0= =u0CR -----END PGP SIGNATURE----- --=-gi6MXystPIu2yI4+K/5M-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/