PERFORCE change 85448 for review

John Baldwin jhb at freebsd.org
Tue Oct 18 16:21:05 GMT 2005 

On Tuesday 18 October 2005 06:23 am, Robert Watson wrote:
> On Mon, 17 Oct 2005, John Baldwin wrote:
> > On Monday 17 October 2005 11:42 am, Robert Watson wrote:
> >> http://perforce.freebsd.org/chv.cgi?CH=85448
> >>
> >> Change 85448 by rwatson at rwatson_zoo on 2005/10/17 15:41:26
> >>
> >> 	In execve(), audit the path name being executed.  Annotate that it
> >> 	would also be good to audit the pathname of the interpreter, if
> >> 	any.
> >
> > It's not a huge deal to do that you know, add the AUDITVNPATH1 flag to
> > the various name lookups in imgact_foo.c
>
> I'm not sure I fully understand how the lookups are managed in execve() --
> if you look at the do_execve() code, you'll see that it iterates around
> and re-executes the same namei() for the interpreter label -- however,
> when I instrument it so that a second invocation audits as the second
> audit path, no second path appears, suggesting that in fact it is in the
> image activator.  I'll have to do some more reading.

I think it depends on the activator.  I think that imgact_shell might depend 
on the second lookup in do_execve() for #!/bin/sh type files for example, but 
imgact_elf certainly does its own lookup to find the appopriate ELF 
interpreter (i.e. rtld) to use.

> Robert N M Watson
>
> >> Affected files ...
> >>
> >> .. //depot/projects/trustedbsd/audit3/sys/kern/kern_exec.c#5 edit
> >>
> >> Differences ...
> >>
> >> ==== //depot/projects/trustedbsd/audit3/sys/kern/kern_exec.c#5 (text+ko)
> >> ====
> >>
> >> @@ -350,10 +350,13 @@
> >>  	/*
> >>  	 * Translate the file name. namei() returns a vnode pointer
> >>  	 *	in ni_vp amoung other things.
> >> +	 *
> >> +	 * XXXAUDIT: It would be desirable to also audit the name of the
> >> +	 * interpreter if this is an interpreted binary.
> >>  	 */
> >>  	ndp = &nd;
> >> -	NDINIT(ndp, LOOKUP, ISOPEN | LOCKLEAF | FOLLOW | SAVENAME | MPSAFE,
> >> -	    UIO_SYSSPACE, args->fname, td);
> >> +	NDINIT(ndp, LOOKUP, ISOPEN | LOCKLEAF | FOLLOW | SAVENAME | MPSAFE |
> >> +	    AUDITVNPATH1, UIO_SYSSPACE, args->fname, td);
> >>
> >>  interpret:
> >>  	error = namei(ndp);

-- 
John Baldwin <jhb at FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve"  =  http://www.FreeBSD.org
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list