PERFORCE change 85448 for review

Robert Watson rwatson at FreeBSD.org
Tue Oct 18 10:23:01 GMT 2005 

On Mon, 17 Oct 2005, John Baldwin wrote:

> On Monday 17 October 2005 11:42 am, Robert Watson wrote:
>> http://perforce.freebsd.org/chv.cgi?CH=85448
>>
>> Change 85448 by rwatson at rwatson_zoo on 2005/10/17 15:41:26
>>
>> 	In execve(), audit the path name being executed.  Annotate that it
>> 	would also be good to audit the pathname of the interpreter, if
>> 	any.
>
> It's not a huge deal to do that you know, add the AUDITVNPATH1 flag to 
> the various name lookups in imgact_foo.c

I'm not sure I fully understand how the lookups are managed in execve() -- 
if you look at the do_execve() code, you'll see that it iterates around 
and re-executes the same namei() for the interpreter label -- however, 
when I instrument it so that a second invocation audits as the second 
audit path, no second path appears, suggesting that in fact it is in the 
image activator.  I'll have to do some more reading.

Robert N M Watson

>
>> Affected files ...
>>
>> .. //depot/projects/trustedbsd/audit3/sys/kern/kern_exec.c#5 edit
>>
>> Differences ...
>>
>> ==== //depot/projects/trustedbsd/audit3/sys/kern/kern_exec.c#5 (text+ko)
>> ====
>>
>> @@ -350,10 +350,13 @@
>>  	/*
>>  	 * Translate the file name. namei() returns a vnode pointer
>>  	 *	in ni_vp amoung other things.
>> +	 *
>> +	 * XXXAUDIT: It would be desirable to also audit the name of the
>> +	 * interpreter if this is an interpreted binary.
>>  	 */
>>  	ndp = &nd;
>> -	NDINIT(ndp, LOOKUP, ISOPEN | LOCKLEAF | FOLLOW | SAVENAME | MPSAFE,
>> -	    UIO_SYSSPACE, args->fname, td);
>> +	NDINIT(ndp, LOOKUP, ISOPEN | LOCKLEAF | FOLLOW | SAVENAME | MPSAFE |
>> +	    AUDITVNPATH1, UIO_SYSSPACE, args->fname, td);
>>
>>  interpret:
>>  	error = namei(ndp);
>
> -- 
> John Baldwin <jhb at FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
> "Power Users Use the Power to Serve"  =  http://www.FreeBSD.org
> To Unsubscribe: send mail to majordomo at trustedbsd.org
> with "unsubscribe trustedbsd-cvs" in the body of the message
>
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list