Re: How to get full pathname from an inode?

From: Jesse Pollard (jesse@cats-chateau.net)
Date: Fri Jul 25 2003 - 13:58:00 PDT

  • Next message: Omen Wild: "Re: How to get full pathname from an inode?"

    On Friday 25 July 2003 14:57, Omen Wild wrote:
    > Quoting Valdis.Kletnieksat_private <Valdis.Kletnieksat_private> on Thu, Jul 24 
    16:23:
    > > There's also a rather nasty race condition in the time between when the
    > > binary itself gets started by exec(), and the runtime loader resolves all
    > > the shared libraries and you actually get to main().....
    >
    > As each library gets loaded off the disk it will get checksummed,
    > independently of the binary.
    >
    > I think I understand.  /bin/ls gets executed.  My module sits in the
    > file_permission path, verifies the binary on disk is correct and allows
    > the load to continue.  Between the time I make my decision and the time
    > the pages actually get loaded off of disk, someone manages to sneak a
    > Trojan'd binary in.  The execute actually happens and the Trojan'd
    > binary loaded.
    >
    > One side effect of my module is that it uses kernel_read to read the
    > contents off disk and SHA1 them.  The pages will then be cached for the
    > actual execute.  I do not see a race there.  If the kernel detects a
    > page has changed and needs to reload it off disk, then I need to catch
    > that and recheck the contents of the file.
    
    You are ASSUMING that it remains in the page/file cache.
    
    It doesn't have to. That depends entirely on memory pressure. Granted, it is
    likely to work unless the attacker also saturates memory usage.
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 13:58:41 PDT