[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimlWMV_SCCSM7Olz6DRI3eIYCSYGKszx7Wt3DsU@mail.gmail.com>
Date: Sat, 17 Jul 2010 15:51:06 +0800
From: supercodeing35271 supercodeing35271 <supercodeing35271@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: who know about this--can not catch the absolute
path on intercept the mkdir() syscall in linux.
Hi,i am now write a simple file comparison and protect program in
linux kernel module using the way of intercepting the syscall.What i
have done is that when the module insmod into kernel,i can appoint a
path that make any action which intend to mkdir in the path return a
fail,so the path can be protect against malicious tamper.
How the module work is very simply as a way of intercept the mkdir()
syscall,i think lots of guy know about the theory.
But,it is not perfect.Because the module can only identify the
absolute path.Then situation,when we open a shell like this:
root@...ame-desktop:/home/myname/test# mkdir dirkkk
As this command running, a directory named dirkkk in the path
/home/myname/test has been created.Also use the command mkdir
/home/myname/test/dirkkk is the same.
But the module i wrote only realize the mkdir
/home/myname/test/dirkkk.This is the mkdir syscall function in 2.6.34:
asmlinkage long sys_mkdir(const char __user *pathname, int mode);
In my module,i intercept it and make a function named my_mkdir which
has the same parameters:
asmlinkage long my_mkdir(const char __user *pathname, int mode)
{
if(strcmp(pathname,"/home/myname/test/dirkkk") == 0)
{
return -1;
}
return sys_mkdir(pathname,mode);
}
The module strcmp the pathname,if the pathname is which has been
setting as forbid,then return -1.Command mkdir
/home/myname/test/dirkkk may return a fail,but if mkdir dirkkk,it
doesn't forbid.Because the pathname is "dirkkk",not the
"/home/myname/test/dirkkk",it may return a original sys_mkdir.
So my question is that is any idea of identify the shell command like
mkdir if it is a absolute path or not,and how to change relative path
into absolute for my module can intercept the relative path
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists