Re: execve

From: Chris Wright (chrisat_private)
Date: Fri May 25 2001 - 10:35:18 PDT

  • Next message: Serge E. Hallyn: "Re: execve"

    * Chris Lundberg (clundberat_private) wrote:
    > What is the best way to monitor calls to execve using the lsm?  We are
    > trying to monitor, and perhaps conditionally prevent, program execution.
    Calls to sys_execve are not monitored by lsm.  Right now, the way to care if
    a process can exec a program is via the security_ops->inode_ops->permission()
    call and checking for MAY_EXEC.  (Note: the permission() call always calls
    the security_ops->inode_ops->permission() function before doing anyting
    sys_execve is arch dependent, and it calls the non-arch dependent function
    fs/exec.c:do_execve() which in fairly short order calls permission().
    A few other checks happen a little later, but that ought to get you started.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Fri May 25 2001 - 10:38:31 PDT