On Fri, 2004-10-22 at 01:40, Can Sar wrote: > Hi, > > I am making some modifications to the Linux sys_open function to keep > track of various things. Two of the things I am trying to do is to get > the path of the executable that is doing the open that may no longer exist by the time open() is called; you can rm an executable after it has started.... or replace it or .. or .. > > , and the path of the file being opened. which is generally meaningless outside the current process, you need at minimum also log all the namespace information of the current process in order to get to some more globally useful filename. > Let me start with the file name: I have tried to copy the path from the > user (it is stored by) filename using strncpy_from_user into a buffer > of size PATH_MAX, and also tried to strcpy tmp, which is what > getname(filename) returns (a kernel pointer). that is also a bug; that doesn't HAVE to be the file that will be actually opened, if you want to use this for some security thing (say auditing), assume the following scenario: 2 threads in userspace, one running on each cpu CPU 0 CPU 1 calls open() ..... your code copies ..... ... replaces the string in memory by something else the real open() copies ...... and your copy doesn't match the file open() uses... this may sound theoretical, but with rdtsc games you can do this quite accurately (been there done that). -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
