From: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
To: David Woodhouse <dwmw2@infradead.org>
Cc: linux-kernel@vger.kernel.org, mingo@redhat.com
Subject: Re: System call audit
Date: Tue, 13 May 2008 09:51:45 -0400 [thread overview]
Message-ID: <20080513135145.GA2311@Krystal> (raw)
In-Reply-To: <1210683590.3582.242.camel@pmac.infradead.org>
* David Woodhouse (dwmw2@infradead.org) wrote:
> On Tue, 2008-05-13 at 08:51 -0400, Mathieu Desnoyers wrote:
> > * David Woodhouse (dwmw2@infradead.org) wrote:
> > > On Mon, 2008-05-12 at 20:06 -0400, Mathieu Desnoyers wrote:
> > > > Hi David,
> > > >
> > > > As I am looking into the system-wide system call tracing problem, I
> > > > start to wonder how auditsc deals with the fact that user-space could
> > > > concurrently change the content referred to by the __user pointers.
> > >
> > > In general we have to copy the content into kernel space, audit it, and
> > > then act on it from there. See the explanation on the IPC audit patch at
> > > http://lwn.net/Articles/125350/ for example.
> > >
> > > Auditing one thing and then acting on another would be simply broken.
> > >
> > > > This would be the case for execve. If we create a program with two
> > > > thread; one is executing execve syscalls and the other thread would be
> > > > modifying the userspace string containing the name of the program to
> > > > execute.
> > >
> > > I was going to suggest that that attack vector won't work, because
> > > execve() kills all threads. But all you have to do to avoid that is put
> > > the data in question into a shared writable mmap and modify it from
> > > another _process_. And in fact I suspect there's a combination of CLONE_
> > > flags which would avoid the thread-killing behaviour anyway.
> > >
> >
> > Even better : if execve fails, it doesn't kill the threads. Therefore,
> > all we have to do is to busy-loop doing failing execve() calls and
> > atomically change the string to what we want to be executed. Can anyone
> > test the sample snippet in a context where executing /bin/bash is
> > disallowed on a SMP system ? I don't have a selinux setup handy.
>
> You were talking about audit earlier. Now you seem to be talking about
> selinux.
>
Actually, getname/putname seems to make sure the name is only copied
once per audit context. So it should be ok.
Mathieu
--
Mathieu Desnoyers
OpenPGP key fingerprint: 8CD5 52C3 8E3C 4140 715F BA06 3F25 A8FE 3BAE 9A68
next prev parent reply other threads:[~2008-05-13 13:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-13 0:06 System call audit Mathieu Desnoyers
2008-05-13 9:24 ` David Woodhouse
2008-05-13 12:51 ` Mathieu Desnoyers
2008-05-13 12:59 ` David Woodhouse
2008-05-13 13:12 ` Mathieu Desnoyers
2008-05-13 13:19 ` Stephen Smalley
2008-05-13 13:51 ` Mathieu Desnoyers [this message]
2008-05-13 13:12 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080513135145.GA2311@Krystal \
--to=mathieu.desnoyers@polymtl.ca \
--cc=dwmw2@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.