itaysk
commented
2 years ago thanks for opening an issue and share you'r needs. this sounds more like a signature to me, isn't it?
Open OriGlassman opened 2 years ago
itaysk
commented
2 years ago thanks for opening an issue and share you'r needs. this sounds more like a signature to me, isn't it?
OriGlassman
commented
2 years ago The only event that happens in the case described above is openat. What I suggest is to add an event that isn't vulnerable to TOCTOU. Later, a new signature may use this new event to identify the attempts.
itaysk
commented
2 years ago Sorry I misread the issue, are you saying that security_file_open doesn't happen when you read a RO file?
OriGlassman
commented
2 years ago write, not read. This is probably because the code flow doesn't reach security_file_open and is terminated before that, after checking the mount permissions.
A user may want to monitor write attempts to files that are mounted as read only.
In my local environment, tracee-ebpf only reports the 'openat' event, which is vulnerable to TOCTOU.
Do note that this is different from when someone attempts to write to a file that he doesn't have enough permissions (ACL) to do so - in that case the security_file_open event does occur.