Date: Sun, 11 May 2003 12:32:46 -0400
From: Chuck Ebbert <76306.1226@compuserve.com>
Subject: Re: The disappearing sys_call_table export.
To: "arjanv@redhat.com" <arjanv@redhat.com>
Cc: Ahmed Masud <masud@googgun.com>, Yoav Weiss <ml-lkml@unpatched.org>,
       Terje Eggestad <terje.eggestad@scali.com>,
       Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Message-ID: <200305111234_MC3-1-3865-CD21@compuserve.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	 charset=us-ascii
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1364
Lines: 43

arjanv wrote:

> examle: pseudocode for the unlink syscall
> 
> long your_wrapped_syscall(char *userfilename)
> {
>     char kernelpointer[something];
>     copy_from_user(kernelpointer, usefilename, ...);
>     audit_log(kernelpointer);
>     return original_syscall(userfilename);
> }


  That code has another hole that nobody else has mentioned
yet: I can fill the audit log by trying to delete nonexistent files,
and if accused of trying to mount a DOS attack on the audit trail
I can reasonably claim that it was all an accident...

  How about:

long wrapped_unlink(char *userfilename)
{
        char name1[len], name2[len];
        long ret;

        copy_from_user(name1, userfilename, ...);
        ret = original_unlink(userfilename);
        copy_from_user(name2, userfilename, ...);

        if (strncmp(name1, name2, len))
                audit_log(name1, name2, UNLINK_NAME_CHANGED);
        if (ret == 0 && AUDIT_SUCCESS)
                audit_log(name1, name2, UNLINK_SUCCEEDED);
        if (ret == -EPERM && AUDIT_FAILURE)
                audit_log(name1, name2, UNLINK_FAILED);

        return ret;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/