Date: Tue, 18 Oct 2005 11:23:01 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: John Baldwin <jhb@freebsd.org> Cc: Perforce Change Reviews <perforce@freebsd.org> Subject: Re: PERFORCE change 85448 for review Message-ID: <20051018112150.S56080@fledge.watson.org> In-Reply-To: <200510171538.30876.jhb@freebsd.org> References: <200510171542.j9HFgRhI073994@repoman.freebsd.org> <200510171538.30876.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 17 Oct 2005, John Baldwin wrote: > On Monday 17 October 2005 11:42 am, Robert Watson wrote: >> http://perforce.freebsd.org/chv.cgi?CH=85448 >> >> Change 85448 by rwatson@rwatson_zoo on 2005/10/17 15:41:26 >> >> In execve(), audit the path name being executed. Annotate that it >> would also be good to audit the pathname of the interpreter, if >> any. > > It's not a huge deal to do that you know, add the AUDITVNPATH1 flag to > the various name lookups in imgact_foo.c I'm not sure I fully understand how the lookups are managed in execve() -- if you look at the do_execve() code, you'll see that it iterates around and re-executes the same namei() for the interpreter label -- however, when I instrument it so that a second invocation audits as the second audit path, no second path appears, suggesting that in fact it is in the image activator. I'll have to do some more reading. Robert N M Watson > >> Affected files ... >> >> .. //depot/projects/trustedbsd/audit3/sys/kern/kern_exec.c#5 edit >> >> Differences ... >> >> ==== //depot/projects/trustedbsd/audit3/sys/kern/kern_exec.c#5 (text+ko) >> ==== >> >> @@ -350,10 +350,13 @@ >> /* >> * Translate the file name. namei() returns a vnode pointer >> * in ni_vp amoung other things. >> + * >> + * XXXAUDIT: It would be desirable to also audit the name of the >> + * interpreter if this is an interpreted binary. >> */ >> ndp = &nd; >> - NDINIT(ndp, LOOKUP, ISOPEN | LOCKLEAF | FOLLOW | SAVENAME | MPSAFE, >> - UIO_SYSSPACE, args->fname, td); >> + NDINIT(ndp, LOOKUP, ISOPEN | LOCKLEAF | FOLLOW | SAVENAME | MPSAFE | >> + AUDITVNPATH1, UIO_SYSSPACE, args->fname, td); >> >> interpret: >> error = namei(ndp); > > -- > John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/ > "Power Users Use the Power to Serve" = http://www.FreeBSD.org > To Unsubscribe: send mail to majordomo@trustedbsd.org > with "unsubscribe trustedbsd-cvs" in the body of the message >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051018112150.S56080>