[apparmor] Possible to record userland EIP/RIP (instruction pointer) in audit logs?
Number Six
number6 at elitemail.org
Wed Mar 14 23:20:51 UTC 2012
On Wed, Mar 14, 2012, at 02:52 PM, John Johansen wrote:
> On 03/14/2012 02:21 PM, Number Six wrote:
> > I am dealing with a possible exploit that seems to irregularly
> > attempt to execute a series of suspicious system calls, and I'd like
> > to try to dive in with gdb to see what is really going on.
> >
> > I've dug around trying to intercept the system calls in gdb, but
> > either the exploit is failure-prone, or something else is blocking
> > easy reproduction of the audit events.
> >
> have you tried strace? You should be able to correlate syscall
> failures with apparmor denied messages
>
> Another possibility is ftrace or ltt-ng
The big problem with tracing is that I get these audit messages like
once a week, at best. I also experienced instability with ltrace when I
tried it. My best results so far when debugging a different set of audit
messages came from using hardware watchpoints on the memory regions in
a3
from the audit logs, but in this instance they are changing from event
to
event.
I have not tried strace, ftrace or ltt-ng. I suppose I can give those
a shot.. but a week's worth of recording any kind of tracing is going to
get pretty big...
> > I'd be willing to test out a patch if that's what it takes.
> >
> that is a possibility but I would like to look at the more generic
> solutions first.
I was pretty surprised that this wasn't a FAQ or frequently requested
feature. It seems pretty basic to want to know the region of code that
an audit message failed from, no? At least, I would expect more people
to want a record of that than the memory address of the system call
arguments (but both together would be very handy).
--
http://www.fastmail.fm - Faster than the air-speed velocity of an
unladen european swallow
More information about the AppArmor
mailing list