Auditing - Snare, LAuS, SELinux
Muli Ben-Yehuda
mulix at mulix.org
Thu Aug 26 05:07:42 UTC 2004
On Wed, Aug 25, 2004 at 07:08:35PM -0500, Jonathan Abbey wrote:
> I assume you're talking about the
>
> testb $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
> jnz syscall_trace_entry
>
> stuff in /arch/i386/kernel/entry.S and succeeding?
>
> I'm afraid I'm not literate enough in either the kernel's low level
> operations or in its history to understand what it is about this
> sequence that is novel.. it seems a straightforward branch in the
> entry code.. had that branch already been paid for in an earlier
> implementation?
Exactly. The test already happened against _TIF_SYSCALL_TRACE, which
is a bit signaling that this process is being ptrace'd. Since all the
audit code did was test *at the same time* against another bit
(_TIF_SYSCALL_AUDIT) no one objected to it.
Cheers,
Muli
--
Muli Ben-Yehuda
http://www.mulix.org | http://mulix.livejournal.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20040826/664887fa/attachment.sig>
More information about the Linux-audit
mailing list