Re: execve

From: Serge E. Hallyn (hallynat_private)
Date: Fri May 25 2001 - 10:46:17 PDT

  • Next message: bruj0at_private: "Kernel Insider, merge with LSM?"

    Well, you could security_ops->task_ops->set_label(filename) to do the check.
    If this function returns nonzero, execve will return with that value.
    
    -serge
    
    Quoting Chris Wright (chrisat_private):
    > * Chris Lundberg (clundberat_private) wrote:
    > > What is the best way to monitor calls to execve using the lsm?  We are
    > > trying to monitor, and perhaps conditionally prevent, program execution.
    > 
    > Calls to sys_execve are not monitored by lsm.  Right now, the way to care if
    > a process can exec a program is via the security_ops->inode_ops->permission()
    > call and checking for MAY_EXEC.  (Note: the permission() call always calls
    > the security_ops->inode_ops->permission() function before doing anyting
    > else).
    > 
    > sys_execve is arch dependent, and it calls the non-arch dependent function
    > fs/exec.c:do_execve() which in fairly short order calls permission().
    > 
    > A few other checks happen a little later, but that ought to get you started.
    > 
    > -chris
    > 
    > _______________________________________________
    > linux-security-module mailing list
    > linux-security-moduleat_private
    > http://mail.wirex.com/mailman/listinfo/linux-security-module
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri May 25 2001 - 10:47:31 PDT