race in audit_log_untrusted_string for task_struct::comm
Steve Grubb
sgrubb at redhat.com
Mon Mar 17 13:01:45 UTC 2014
On Saturday, March 15, 2014 07:28:46 PM Richard Guy Briggs wrote:
> I'm inclined to go get_task_comm() in all 5 locations, but if we care
> more about locking overhead, I'll switch to memcpy().
>
> Steve, do we care about the integrity of the comm field?
In the case of interpreters, its about the only thing we know about the
application being executed. For example, a shell script will have exe=/bin/sh,
so comm= is our only clue.
-Steve
More information about the Linux-audit
mailing list