On Wed, 16 Jul 2003 22:41:02 EDT, Omen Wild <Omen.Wildat_private> said: > For now we're happy to leave that to another security module. We'd > just like to be able to ensure the contents of certain files are what > they're suppose to be. A few random thoughts: 1) Make sure your code plays nice with the in-memory filesystem cache, so that as long as you have to read the pages in from disk, they're in the cache for when you actually start execution. It would Truly Suck if you had to do the I/O twice (on the other hand, make sure you DTRT if some bozo tries something like: sh -c "for i in /usr/bin/*; $i > /dev/null 2>&1; done" (Note, it's NOT a fork bomb, just dirtying a lot of pages really fast). 2) Shared libraries look to be interesting, because those don't happen via exec(), but via open/mmap games... so you'll need hooks there. And from the kernel, it may be hard to tell the distinction between a valid user-program call to mmap() of application stuff and /lib/ld-linux being convinced to use a trojaned shared lib via "LD_LIBRARY_PATH=~fred/lib:..."
This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 20:09:10 PDT