[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Dazuko-devel] Symlink reporting

From: Tikka, Sami
Subject: RE: [Dazuko-devel] Symlink reporting
Date: Fri, 28 Jan 2005 20:17:22 +0200

>-----Original Message-----
>From: address@hidden 
>] On Behalf Of Tikka, Sami
>Sent: Friday, January 28, 2005 10:58 AM
>To: address@hidden; address@hidden
>Subject: Re: [Dazuko-devel] Symlink reporting
>I tried to apply the patches against your latest dazuko 
>release but that 
>did not produce a good version. I define a good version as a version 
>that sends the name of the symlink to the daemon if a symlink was 
>accessed. I'll try to find out the problem but I thought I'd send you 
>this patch just so you can see what I'm getting at.

Yes, I found the problem and I just re-read the emails and realized that you
had already fixed the symlink behaviour in the CVS, thanks! 

Anyway, we have the symlink reporting for Linux 2.6, as you can see in the
patches. And because it is not possible to know in LSM inode_permission
callback if LSM follow_symlink callback has already been called, we report
both. We just use a different event (ON_LINK) to report symlink access. I can
explain why we did that:

We have 2 modules that listen to dazuko events: Integrity Checker and
Anti-Virus. Integrity Checker is interested in both symlink and file accesses
because it has to verify that a) the symlink points to the right place and b)
the checksum of the file matches to what is stored to baseline. Anti-Virus
module just wants to scan the file.

When user accesses a file via a symlin, on Linux 2.4 we have dazuko send us
ON_OPEN event with the name of the symlink. Intergrity Checker sees it is a
symlink, checks it points to the right place, readlinks the symlink and
verifies checksum of the file. Anti-Virus scanner just scans the reported
name and does not care if it was a symlink or a file.

On Linux 2.6 we have dazuko send us ON_LINK event with the name of the
symlink. Integrity Checker checks that the link points to the right place and
nothing else. Anti-Virus scanner just ignores the ON_LINK events. Then dazuko
sends us ON_OPEN event with the name of the real file. Integrity Checker sees
this is a file, not a symlink and just verifies checksum of the file.
Anti-Virus scanner simply scans the reported filename.

If you do not like the concept of introducing ON_LINK events for Linux 2.6,
we could just make LSM follow_symlink callback send ON_OPEN events. Our
Integrity Checker and Anti-Virus could live with it because we cache virus
scan results so it would not be a problem to have ON_OPEN reported twice,
once for the symlink and once for the real file.
Sami Tikka                tel. +358 9 2520 5115 
senior software engineer  fax. +358 9 2520 5014
                          mobile +358 40 7379388
F-Secure Corporation      http://www.f-secure.com

reply via email to

[Prev in Thread] Current Thread [Next in Thread]