> examle: pseudocode for the unlink syscall
>
> long your_wrapped_syscall(char *userfilename)
> {
> char kernelpointer[something];
> copy_from_user(kernelpointer, usefilename, ...);
> audit_log(kernelpointer);
> return original_syscall(userfilename);
> }
That code has another hole that nobody else has mentioned
yet: I can fill the audit log by trying to delete nonexistent files,
and if accused of trying to mount a DOS attack on the audit trail
I can reasonably claim that it was all an accident...
How about:
long wrapped_unlink(char *userfilename)
{
char name1[len], name2[len];
long ret;
copy_from_user(name1, userfilename, ...);
ret = original_unlink(userfilename);
copy_from_user(name2, userfilename, ...);
if (strncmp(name1, name2, len))
audit_log(name1, name2, UNLINK_NAME_CHANGED);
if (ret == 0 && AUDIT_SUCCESS)
audit_log(name1, name2, UNLINK_SUCCEEDED);
if (ret == -EPERM && AUDIT_FAILURE)
audit_log(name1, name2, UNLINK_FAILED);
return ret;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/