[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: syscall arguments in audit records



Please don't top-post, and please don't use HTML.

On Fri, 2005-03-25 at 15:53 -0600, Debora Velarde wrote:
> Some of the system call arguments have useful information; they're not
> just pointing to a memory address. 

This is true, but some are pointers to memory. We need to be careful
here -- whenever we dereference such a pointer, we need to make sure
that the contents of the memory it points to are not changed between the
time we read them, and the time the system call itself calls
copy_from_user() to read them again. Basically, we need to use callbacks
like the filesystem name hooks or the ones in the IPC code. We can't
just log the memory contents on syscall entry or exit.

If more such hooks are required, we need to identify and implement them.

-- 
dwmw2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]