On Fri, 09 Apr 2021 08:06:21 -0700, Andi Kleen said: > Thinking more about it what I wrote above wasn't quite right. The cache > would only need to be as big as the number of attackable services/suid > binaries. Presumably on many production systems that's rather small, > so a cache (which wouldn't actually be a cache, but a complete database) > might actually work.
You also need to consider non-suid things called by suid things that don't sanitize input sufficiently before invocation... Thinking about at - is it really a good thing to try to do this in kernelspace? Or is 'echo 1 > /proc/sys/kernel/print-fatal-signals' and a program to watch the dmesg and take action more appropriate? A userspace monitor would have more options (though a slightly higher risk of race conditions).
pgpTwBsdyj4b2.pgp
Description: PGP signature
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
