Casey Schaufler wrote: >A good audit >analysis tool is going to be able to answer querys based on fd, >such as "where did this Trojan Horse get stdin from?". But this is not responsive to the question. This may be a good reason to record what fd 0 is connected to when the app was started, but it's not clear to me why this is a good reason to audit the fd on every call to read(). (I'll note, though, that this is the closest I've heard to a reason that came close to persuading me: I could imagine that there might be some persuasive argument based on the fact that fds 0, 1, and 2 are special. After some thought, I couldn't think of any such scenario, though, so I must admit that I am still unconvinced. Please let me know if I am missing something.) _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 19:41:05 PDT