Seth Arnold wrote: >The case for this hook: I want to know when an executable file has been >written to. I don't care who writes to the file, nor do I care about >possibly allowing or denying the write. I *do* care about knowing *when* >it was written to, and hooking here is important because it removes >a race condition. > >This particular function is one of the few functions with access to the >spinlock serializing access to the ETXTBUSY error return when a file is >executing and someone tries to open the thing for writing. I think if I >tried to place the hook elsewhere, I could be vulnerable to a race >condition of someone executing the program before opening it for >writing. I probably didn't understand well enough what the goal is and how the above race condition could violate the goal. Is the goal to log all writes to an executable file? If so, isn't this ... gasp ... audit? (expressions of horror all around, I'm sure) If there is a race condition in existing hooks, I'm wondering whether maybe the existing hooks ought to be augmented directly to combat the race. If this concern sounds pretty vague, that's because it is. Since I have the feeling I didn't understand quite what you are doing, quite possibly I am way off the mark here. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Oct 01 2001 - 20:53:54 PDT