Re: System call audit

From: Stephen Smalley
Date: Tue May 13 2008 - 09:20:08 EST



On Tue, 2008-05-13 at 09:12 -0400, Mathieu Desnoyers wrote:
> * David Woodhouse (dwmw2@xxxxxxxxxxxxx) wrote:
> > On Tue, 2008-05-13 at 08:51 -0400, Mathieu Desnoyers wrote:
> > > * David Woodhouse (dwmw2@xxxxxxxxxxxxx) wrote:
> > > > On Mon, 2008-05-12 at 20:06 -0400, Mathieu Desnoyers wrote:
> > > > > Hi David,
> > > > >
> > > > > As I am looking into the system-wide system call tracing problem, I
> > > > > start to wonder how auditsc deals with the fact that user-space could
> > > > > concurrently change the content referred to by the __user pointers.
> > > >
> > > > In general we have to copy the content into kernel space, audit it, and
> > > > then act on it from there. See the explanation on the IPC audit patch at
> > > > http://lwn.net/Articles/125350/ for example.
> > > >
> > > > Auditing one thing and then acting on another would be simply broken.
> > > >
> > > > > This would be the case for execve. If we create a program with two
> > > > > thread; one is executing execve syscalls and the other thread would be
> > > > > modifying the userspace string containing the name of the program to
> > > > > execute.
> > > >
> > > > I was going to suggest that that attack vector won't work, because
> > > > execve() kills all threads. But all you have to do to avoid that is put
> > > > the data in question into a shared writable mmap and modify it from
> > > > another _process_. And in fact I suspect there's a combination of CLONE_
> > > > flags which would avoid the thread-killing behaviour anyway.
> > > >
> > >
> > > Even better : if execve fails, it doesn't kill the threads. Therefore,
> > > all we have to do is to busy-loop doing failing execve() calls and
> > > atomically change the string to what we want to be executed. Can anyone
> > > test the sample snippet in a context where executing /bin/bash is
> > > disallowed on a SMP system ? I don't have a selinux setup handy.
> >
> > You were talking about audit earlier. Now you seem to be talking about
> > selinux.
> >
>
> I thought selinux did hook into syscall audit ? (sorry, I am new to the
> kernel auditing field) The race I refer to is in the auditsc.c kernel
> code, so syscall audit would be the one I am talking about. I refer to
> selinux here just because, as of my understanding, it happens to be one
> module-based callback which can hook on syscall audit.

SELinux is a user of the audit subsystem in terms of generating audit
messages for permission denials. It doesn't rely on any inputs from the
audit subsystem.

--
Stephen Smalley
National Security Agency

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/