Decoding arguments passed to system calls
Steve Grubb
sgrubb at redhat.com
Wed Jul 4 15:03:30 UTC 2007
On Tuesday 03 July 2007 10:38:05 am Stephen Smalley wrote:
> One caveat though - auditing of write() won't catch all possible ways of
> modifying the file data, e.g. one could mmap() the file with MAP_SHARED
> and then write to the memory, followed by msync or munmap.
Agreed. And another gotcha is programs that could pass a descriptor across
af_unix sockets where it is then mmap'ed. There is also sendfile which could
send the file away to be viewed by other people and there is splice() &
tee(2). Don't forget the *at() syscalls, too. IOW, I think the problem is
trickier than it might initially appear.
Based on your requirements, you might want to consider putting in place some
SE Linux policy to control the different ways that a file can be accessed to
keep apps honest. Then you don't need to worry about all the sneak paths that
could subvert the audit system.
-Steve
More information about the Linux-audit
mailing list