Hi Steven,
On Tue, Sep 29, 2020 at 07:49:24PM -0400, Steven Rostedt wrote:
> On Tue, 29 Sep 2020 19:47:12 -0400
> Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
>
> > On Thu, 10 Sep 2020 16:33:38 -0700
> > Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> >
> > > > @@ -1940,6 +1941,7 @@ static int bprm_execve(struct linux_binprm *bprm,
> > > > task_numa_free(current, false);
> > > > if (displaced)
> > > > put_files_struct(displaced);
> > > > + fbfam_execve();
> > >
> > > As mentioned in the other emails, I think this could trivially be
> > > converted into an LSM: all the hooks are available AFAICT. If you only
> > > want to introspect execve _happening_, you can use bprm_creds_for_exec
> > > which is called a few lines above. Otherwise, my prior suggestion ("the
> > > exec has happened" hook via brpm_cred_committing, etc).
> >
> > And if its information only, you could just register a callback to the
> > trace_sched_process_exec() tracepoint and do whatever you want then.
> >
> > The tracepoints are available for anyone to attach to. Not just tracing.
> >
> And there's also trace_sched_process_fork() and
> trace_sched_process_exit().
Since this feature requires a pointer to the statistical data in the
task_struct structure, and the LSM allows this using the security blobs,
I think that the best for now is convert all the code to an LSM. Anyway,
thanks for the suggestion.
> -- Steve
Thanks,
John Wood
