* Detecting loading of libraries
@ 2015-01-22 0:01 hsultan
2015-01-22 1:30 ` hsultan
2015-01-27 0:48 ` Steve Grubb
0 siblings, 2 replies; 3+ messages in thread
From: hsultan @ 2015-01-22 0:01 UTC (permalink / raw)
To: linux-audit
Hi,
I'm wondering if there's a good way of detecting the loading of
libraries by processes (I am specifically NOT talking about the uselib
syscall).
strace shows me apps do open(...)/mmap/mprotect
I'm currently intercepting mmap calls, however no additional context
records are given to provide the name of the library, and the file
descriptor is the 5th parameter, so I can't get that either to match it
to an open(...)
Is there a way to do this that I'm missing ?
Thanks,
Hassan
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Detecting loading of libraries
2015-01-22 0:01 Detecting loading of libraries hsultan
@ 2015-01-22 1:30 ` hsultan
2015-01-27 0:48 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: hsultan @ 2015-01-22 1:30 UTC (permalink / raw)
To: linux-audit
Ok, I now see the file descriptor in a context record for mmap
*sometimes*
1300 - audit(1421886600.839:25623): arch=c000003e syscall=9 success=yes
exit=140564293636096 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1300 - audit(1421886600.839:25624): arch=c000003e syscall=9 success=yes
exit=140564293636096 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1300 - audit(1421886600.839:25625): arch=c000003e syscall=9 success=yes
exit=140564239544320 a0=0 a1=2020f0 a2=5 a3=802 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1323 - audit(1421886600.839:25625): fd=10 flags=0x802
1300 - audit(1421886600.839:25626): arch=c000003e syscall=9 success=yes
exit=140564241645568 a0=7fd7a9b10000 a1=2000 a2=3 a3=812 items=0
ppid=23505 pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
1323 - audit(1421886600.839:25626): fd=10 flags=0x812
1300 - audit(1421886600.839:25627): arch=c000003e syscall=9 success=yes
exit=140564293640192 a0=0 a1=1000 a2=3 a3=22 items=0 ppid=23505
pid=24942 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts5 ses=2 comm="sudo" exe="/usr/bin/sudo" key=(null)
Any idea why the 1323 shows up sometimes and not each time an mmap call
is made ? Is the record generated only on the 1st mmap call for a
library ?
Thanks,
Hassan
On 2015-01-21 16:01, hsultan@thefroid.net wrote:
> Hi,
>
> I'm wondering if there's a good way of detecting the loading of
> libraries by processes (I am specifically NOT talking about the
> uselib
> syscall).
>
> strace shows me apps do open(...)/mmap/mprotect
> I'm currently intercepting mmap calls, however no additional context
> records are given to provide the name of the library, and the file
> descriptor is the 5th parameter, so I can't get that either to match
> it to an open(...)
>
> Is there a way to do this that I'm missing ?
>
> Thanks,
>
> Hassan
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Detecting loading of libraries
2015-01-22 0:01 Detecting loading of libraries hsultan
2015-01-22 1:30 ` hsultan
@ 2015-01-27 0:48 ` Steve Grubb
1 sibling, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2015-01-27 0:48 UTC (permalink / raw)
To: linux-audit
On Wednesday, January 21, 2015 04:01:59 PM hsultan@thefroid.net wrote:
> I'm wondering if there's a good way of detecting the loading of
> libraries by processes (I am specifically NOT talking about the uselib
> syscall).
This has never been a problem people needed a solution for. Its always been
assumed that the runtime linker does the right thing.
> strace shows me apps do open(...)/mmap/mprotect
> I'm currently intercepting mmap calls, however no additional context
> records are given to provide the name of the library, and the file
> descriptor is the 5th parameter, so I can't get that either to match it
> to an open(...)
>
> Is there a way to do this that I'm missing ?
I'd almost thing you'd want to patch ld.so to provide this...but then its not
running as a privileged process. So, it can't do it. Ld is the thing that
knows the _intent_ behind the open and mmap and mprot. Nothing else does.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-01-27 0:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-22 0:01 Detecting loading of libraries hsultan
2015-01-22 1:30 ` hsultan
2015-01-27 0:48 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.