On Thu, 26 Mar 2020, KP Singh wrote: > From: KP Singh <kpsingh@xxxxxxxxxx> > > * Load/attach a BPF program that hooks to file_mprotect (int) > and bprm_committed_creds (void). > * Perform an action that triggers the hook. > * Verify if the audit event was received using the shared global > variables for the process executed. > * Verify if the mprotect returns a -EPERM. > > Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx> > Reviewed-by: Brendan Jackman <jackmanb@xxxxxxxxxx> > Reviewed-by: Florent Revest <revest@xxxxxxxxxx> > Reviewed-by: Thomas Garnier <thgarnie@xxxxxxxxxx> Cool stuff! Reviewed-by: James Morris <jamorris@xxxxxxxxxxxxxxxxxxx> -- James Morris <jmorris@xxxxxxxxx>
