Detecting loading of libraries
Steve Grubb
sgrubb at redhat.com
Tue Jan 27 00:48:14 UTC 2015
On Wednesday, January 21, 2015 04:01:59 PM hsultan at thefroid.net wrote:
> I'm wondering if there's a good way of detecting the loading of
> libraries by processes (I am specifically NOT talking about the uselib
> syscall).
This has never been a problem people needed a solution for. Its always been
assumed that the runtime linker does the right thing.
> strace shows me apps do open(...)/mmap/mprotect
> I'm currently intercepting mmap calls, however no additional context
> records are given to provide the name of the library, and the file
> descriptor is the 5th parameter, so I can't get that either to match it
> to an open(...)
>
> Is there a way to do this that I'm missing ?
I'd almost thing you'd want to patch ld.so to provide this...but then its not
running as a privileged process. So, it can't do it. Ld is the thing that
knows the _intent_ behind the open and mmap and mprot. Nothing else does.
-Steve
More information about the Linux-audit
mailing list