On Oct 22, 2004, at 3:21 AM, Arjan van de Ven wrote:
On Fri, 2004-10-22 at 01:40, Can Sar wrote:Hi,
I am making some modifications to the Linux sys_open function to keep track of various things. Two of the things I am trying to do is to get the path of the executable that is doing the open
that may no longer exist by the time open() is called; you can rm an executable after it has started.... or replace it or .. or ..
I absolutely agree with you that some of these things might cause problems, or security holes. This is, however, for a research project, so it will never find its way into any critical system. But knowing the name or original path of the executable (at exec time) would be great. I've been reading through the sys_exec code, and while it seems like the info is discarded, i feel like there must be some way of getting it that I am missing.
Greetings, Can
, and the path of the file being opened.
which is generally meaningless outside the current process, you need at
minimum also log all the namespace information of the current process in
order to get to some more globally useful filename.
Let me start with the file name: I have tried to copy the path from the
user (it is stored by) filename using strncpy_from_user into a buffer
of size PATH_MAX, and also tried to strcpy tmp, which is what
getname(filename) returns (a kernel pointer).
that is also a bug; that doesn't HAVE to be the file that will be actually opened, if you want to use this for some security thing (say auditing), assume the following scenario:
2 threads in userspace, one running on each cpu
CPU 0 CPU 1
calls open() .....
your code copies .....
... replaces the string in memory by something else
the real open() copies ......
and your copy doesn't match the file open() uses... this may sound theoretical, but with rdtsc games you can do this quite accurately (been there done that).
-- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
-- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/