Open OriGlassman opened 2 years ago
thanks for opening an issue and share you'r needs. this sounds more like a signature to me, isn't it?
The only event that happens in the case described above is openat. What I suggest is to add an event that isn't vulnerable to TOCTOU. Later, a new signature may use this new event to identify the attempts.
Sorry I misread the issue, are you saying that security_file_open doesn't happen when you read a RO file?
write, not read. This is probably because the code flow doesn't reach security_file_open and is terminated before that, after checking the mount permissions.
A user may want to monitor write attempts to files that are mounted as read only.
In my local environment, tracee-ebpf only reports the 'openat' event, which is vulnerable to TOCTOU.
Do note that this is different from when someone attempts to write to a file that he doesn't have enough permissions (ACL) to do so - in that case the security_file_open event does occur.