Date: Mon, 02 Apr 2007 19:24:21 +0200 From: Stanislav Ochotnicky <stanislav.ochotnicky@kmit.sk> To: freebsd-hackers@freebsd.org Subject: Re: Deny system call using ptrace Message-ID: <46113C45.8050304@kmit.sk> In-Reply-To: <4610BF5A.7060807@kmit.sk> References: <460EE276.1020802@kmit.sk> <4610BF5A.7060807@kmit.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig99B95CDF8592B904F965B2BD
Content-Type: text/plain; charset=ISO-8859-2
Content-Transfer-Encoding: quoted-printable
My mistake.
I noticed later that ptrace is actually called just before system call,
however system call code and arguments are already read in kernel, and
are not re-read after ptrace finished. It simply does not count with
that possiblity.
------ cut here ---
if (error =3D=3D 0) {
td->td_retval[0] =3D 0;
td->td_retval[1] =3D frame->tf_edx;
STOPEVENT(p, S_SCE, narg);
PTRACESTOP_SC(p, td, S_PT_SCE);<=3D change syscall number or args
AUDIT_SYSCALL_ENTER(code, td);
error =3D (*callp->sy_call)(td, args);
AUDIT_SYSCALL_EXIT(error, td);
}
-------cut here -----
I'm wondering if it would be possible to move STOPEVENT and PTRACESTOP
lines at the beginning of syscall() without creating mayhem. Or other
way to make stopping syscall execution possible.
Regards,
S.O.
--------------enig99B95CDF8592B904F965B2BD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGETxJB9Uc/HGhZ3wRCDD/AJ9zsANgsP3Ep8nDg5pHWEu386MDnwCggauE
ExXQFqOslstCkIdXhJt4AfQ=
=FcWu
-----END PGP SIGNATURE-----
--------------enig99B95CDF8592B904F965B2BD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46113C45.8050304>