Re: execve

• Previous message: Chris Lundberg: "execve"
• In reply to: Chris Lundberg: "execve"
• Reply: Serge E. Hallyn: "Re: execve"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Chris Lundberg (clundberat_private) wrote:
> What is the best way to monitor calls to execve using the lsm?  We are
> trying to monitor, and perhaps conditionally prevent, program execution.

Calls to sys_execve are not monitored by lsm.  Right now, the way to care if
a process can exec a program is via the security_ops->inode_ops->permission()
call and checking for MAY_EXEC.  (Note: the permission() call always calls
the security_ops->inode_ops->permission() function before doing anyting
else).

sys_execve is arch dependent, and it calls the non-arch dependent function
fs/exec.c:do_execve() which in fairly short order calls permission().

A few other checks happen a little later, but that ought to get you started.

-chris

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Serge E. Hallyn: "Re: execve"
• Previous message: Chris Lundberg: "execve"
• In reply to: Chris Lundberg: "execve"
• Reply: Serge E. Hallyn: "Re: execve"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 25 2001 - 10:38:31 PDT