syscall arguments in audit records
David Woodhouse
dwmw2 at infradead.org
Fri Mar 25 22:12:15 UTC 2005
Please don't top-post, and please don't use HTML.
On Fri, 2005-03-25 at 15:53 -0600, Debora Velarde wrote:
> Some of the system call arguments have useful information; they're not
> just pointing to a memory address.
This is true, but some are pointers to memory. We need to be careful
here -- whenever we dereference such a pointer, we need to make sure
that the contents of the memory it points to are not changed between the
time we read them, and the time the system call itself calls
copy_from_user() to read them again. Basically, we need to use callbacks
like the filesystem name hooks or the ones in the IPC code. We can't
just log the memory contents on syscall entry or exit.
If more such hooks are required, we need to identify and implement them.
--
dwmw2
More information about the Linux-audit
mailing list