On Wed, 30 May 2001, Titus D. Winters wrote: > So Chris Lundberg and I are in the process of porting over a honeypot that > I wrote as an LKM a while back. Since we are hiding files and processes, > we are finding that returning EPERM in places (like ptrace, open, and > several others) is less useful than returning something like ESRCH or > ENOENT. Aside from the 1 assignment per query performance hit, why are we > not doing something like > > if ((ret = security_ops->ptrace(current->p_pptr, current))) > goto out; > > instead of > > if (security_ops->ptrace(current->p_pptr, current)) > goto out; From a safety point of view, you must then reset the value of 'ret' to its previous value after a successful call to the hook. Otherwise, subsequent code may incorrectly assume that 'ret' still has a previously assigned value. For example, if you apply the same change to the subsequent call to security_ops->ptrace(current,child), then you will create a problem for the checks that follow it. Those checks expect 'ret' to still be -EPERM, not zero. Are you also filtering the reads of /proc (to hide processes) and of ordinary directories (to hide files)? -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 11:51:35 PDT