audit vs. ptrace races.
Olaf Kirch
okir at suse.de
Thu Mar 17 15:46:04 UTC 2005
If you use the ptrace hooks, you want to audit after the ptrace hook
on entry, and _before_ calling the hook on exit.
On Thu, Mar 17, 2005 at 03:37:27PM +0000, David Woodhouse wrote:
> There is also a potential race condition where the argument is actually
> a pointer to userspace memory -- for auditing purposes we _must_ use the
> copy which we get from userspace at the time we perform the syscall, not
> copy it in from userspace in audit_syscall_entry(). I don't think we
> currently have problems with this -- both the IPC code and getname() are
> doing this correctly -- but it's worth pointing out to avoid mistakes in
> future.
Yes, that is actually an interesting challenge, and we added a lot of
very ugly code to prevent that in our audit implementation. It worked,
but I am not 100% confident it is entirely deadlock free.
This sort of thing gets really interesting when you deal with ioctls.
Some syscall tracking implementations simply used to copy the arguments
to some temporary memory and did a setfs(KERNEL_DS) but that doesn't
work (well it works, but it creates serious security problems if you
think of ioctls that pass pointers to pointers).
This is the main reason why we changed our audit implementation from
using the trace to picking up the arguments directly inside the kernel
functions we wanted to audit.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir at suse.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
More information about the Linux-audit
mailing list