Open rwatson opened 8 years ago
@rwatson, is this complete? I believe you do pass on rtld info on now.
This is semi-complete. We need to more thoroughly review behaviour with respect to rtld, interpreters, scripts, etc, and may require an additional entry in the audit structure if all three are in use. So we should probably leave the issue open for now.
While explicit
vnode
arguments to system calls are audited, there are cases where file access may happen implicitly for certain system calls (e.g.,rtld
use inexecve(2)
). This task is to review those cases, and ponder an audit strategy for them.