I think there's a TOCTOU in the execveat example o...
# ebpfa
Artemis Tosini
10/14/2022, 6:58 PMI think there's a TOCTOU in the execveat example of ebpfpub, though there shouldn't be an issue if you use the tracepoint like in linuxevents
a
alessandrogario
10/14/2022, 7:04 PM
Do you mean the kprobe_execsnoop example? I think we are always somehow subject to race conditions, especially when walking dentry structures (because we can't acquire locks from BPF)
a
Artemis Tosini
10/14/2022, 7:08 PMYes, that's what I'm talking about
Artemis Tosini
10/14/2022, 7:09 PMAIUI it's fine if you can instrument after a copy_from_user but I don't think that's possible here