[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Auditing - Snare, LAuS, SELinux



On Wed, Aug 25, 2004 at 07:08:35PM -0500, Jonathan Abbey wrote:
> I assume you're talking about the
> 
>         testb $(_TIF_SYSCALL_TRACE|_TIF_SYSCALL_AUDIT),TI_flags(%ebp)
>         jnz syscall_trace_entry
> 
> stuff in /arch/i386/kernel/entry.S and succeeding?
> 
> I'm afraid I'm not literate enough in either the kernel's low level
> operations or in its history to understand what it is about this
> sequence that is novel.. it seems a straightforward branch in the
> entry code.. had that branch already been paid for in an earlier
> implementation?

Exactly. The test already happened against _TIF_SYSCALL_TRACE, which
is a bit signaling that this process is being ptrace'd. Since all the
audit code did was test *at the same time* against another bit
(_TIF_SYSCALL_AUDIT) no one objected to it.

Cheers, 
Muli
-- 
Muli Ben-Yehuda
http://www.mulix.org | http://mulix.livejournal.com/

Attachment: signature.asc
Description: Digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]