security¶
Intro¶
security - checks if the current security context is valid
Description¶
The security syscall call is used to check if the current security context is valid. It is used to check whether a security context is able to access a given resource. If the current security context does not have access to the resource, it can be updated to match the security context of the resource. It is important to note that the security context of a resource is determined by the security measure, or policy, of the particular resource.
The security syscall is a key part of any security-minded application. It can help to ensure that only certain users are allowed to access certain resources, and that any access is done in a secure way. In addition, the security syscall can help to ensure that the security measures of a system are not circumvented or broken.
There are a few key points to keep in mind when using the security syscall. The security context of the user needs to be checked for validity at all times, and the user’s security context should be updated whenever necessary. In addition, the security syscall should never be used to perform authentication or authorization checks, as these should be done using a separate system.
Arguments¶
context:char const *[U, TOCTOU] - a pointer to a security context string.resource:char const *[U, TOCTOU] - a pointer to a resource string.access:int[U] - a bit mask representing the access rights.timeout:long[U, OPT] - maximum time in milliseconds to wait for a security change before returning an error (if not provided, will wait indefinitely).
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
__x86_sys_security¶
Type¶
bpf + kprobe
Purpose¶
The purpose of hooking this function is to detect when the security syscall is called, and to obtain information about the context, resource, access and timeout arguments used.
security_update¶
Type¶
kprobe
Purpose¶
The purpose of hooking this function is to detect when the security context of a resource is updated and to obtain information about the context, resource, and access arguments used.
Example Use Case¶
A security-minded application may use the security syscall to check a user’s access rights to a particular resource. If the user is not authorized to access the resource, the security syscall can be used to update the user’s security context to match the resource’s security settings. This allows the user to access the resource in a secure fashion.
Issues¶
The security syscall can be vulnerable to TOCTOU attacks. If a malicious user is able to manipulate the security context of a resource, they can bypass the security checks done by the security syscall.
Related Events¶
- execve - spawns a new process
- getgid - returns the group identifier (GID) of the current effective user
- chroot - changes the root directory of the calling process
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.