Full Disclosure mailing list archives
who know about this--can not catch the absolute path on intercept the mkdir() syscall in linux.
From: supercodeing35271 supercodeing35271 <supercodeing35271 () gmail com>
Date: Sat, 17 Jul 2010 15:51:06 +0800
Hi,i am now write a simple file comparison and protect program in linux kernel module using the way of intercepting the syscall.What i have done is that when the module insmod into kernel,i can appoint a path that make any action which intend to mkdir in the path return a fail,so the path can be protect against malicious tamper. How the module work is very simply as a way of intercept the mkdir() syscall,i think lots of guy know about the theory. But,it is not perfect.Because the module can only identify the absolute path.Then situation,when we open a shell like this: root@myname-desktop:/home/myname/test# mkdir dirkkk As this command running, a directory named dirkkk in the path /home/myname/test has been created.Also use the command mkdir /home/myname/test/dirkkk is the same. But the module i wrote only realize the mkdir /home/myname/test/dirkkk.This is the mkdir syscall function in 2.6.34: asmlinkage long sys_mkdir(const char __user *pathname, int mode); In my module,i intercept it and make a function named my_mkdir which has the same parameters: asmlinkage long my_mkdir(const char __user *pathname, int mode) { if(strcmp(pathname,"/home/myname/test/dirkkk") == 0) { return -1; } return sys_mkdir(pathname,mode); } The module strcmp the pathname,if the pathname is which has been setting as forbid,then return -1.Command mkdir /home/myname/test/dirkkk may return a fail,but if mkdir dirkkk,it doesn't forbid.Because the pathname is "dirkkk",not the "/home/myname/test/dirkkk",it may return a original sys_mkdir. So my question is that is any idea of identify the shell command like mkdir if it is a absolute path or not,and how to change relative path into absolute for my module can intercept the relative path _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- who know about this--can not catch the absolute path on intercept the mkdir() syscall in linux. supercodeing35271 supercodeing35271 (Jul 17)