[apparmor] Possible to record userland EIP/RIP (instruction pointer) in audit logs?
Number Six
number6 at elitemail.org
Wed Mar 14 21:21:51 UTC 2012
Hello,
This may seem like a strange request, but I have urgent need to be able
to extract the userland EIP/RIP associated with AppArmor syscall audit
events on Ubuntu 11.04.
I am dealing with a possible exploit that seems to irregularly attempt
to execute a series of suspicious system calls, and I'd like to try to
dive in with gdb to see what is really going on.
I've dug around trying to intercept the system calls in gdb, but either
the exploit is failure-prone, or something else is blocking easy
reproduction of the audit events.
Is there any way to log userland EIP/RIP for audit messages? It seems
like the syscall arguments and memory pointers get logged in a0-3, but
not EIP/RIP...
I'd be willing to test out a patch if that's what it takes.
Thanks
- Six
--
http://www.fastmail.fm - One of many happy users:
http://www.fastmail.fm/docs/quotes.html
More information about the AppArmor
mailing list