[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dazuko-devel] [PATCH] Syscall hooking for Linux 2.6 available

From: Tikka, Sami
Subject: [Dazuko-devel] [PATCH] Syscall hooking for Linux 2.6 available
Date: Sat, 4 Mar 2006 22:36:40 +0200


I have uploaded to savannah the patch that adds syscall hooking as an
alternative method to intercept file accesses on Linux 2.6.

This makes it possible to easily install dazuko on distributions that come
with a kernel where capability is compiled built-in. This patch also enables
DAZUKO_ON_CLOSE events which cannot be obtained with the LSM callbacks.

The patch is against dazuko-2.1.1-pre2. Let me know if it does not apply
cleanly to the latest dazuko version.

Apply the patch, then run ./configure --enable-syscalls

I should warn you that there is a bit of a kludge in sys_execve hook. I could
not implement the hook any other way than it was done in dazuko_linux.c.
Unfortunately one of those functions is no longer exported and I had to
resort to some ugliness to be able to call it. The address of the
non-exported function is looked up from System.map file by the configure
script. It searches for the System.map from several standard locations. In
case your System.map is not in a standard location, it can be given with
--mapfile option to configure.

There are some other, related, changes that I should explain:

1) sys_dup is no longer hooked. I did not see the point. It was generating
extra DAZUKO_ON_OPEN events when no file was actually being opened. At least
from an anti-virus scanner point-of-view it does not make sense to rescan a
file while it has already been opened by the same process.

2) sys_dup2 also no longer generates DAZUKO_ON_OPEN events, but still
generates DAZUKO_ON_CLOSE events when the new file descriptor is closed.

3) sys_creat is hooked because it opens a new file.

4) internals of sys_open was changed. Originally dazuko asked permission from
daemons before calling original sys_open. This resulted made it difficult to
lookup the filename for new files because the file did not yet exist. Also,
the inode information for the new file was not available. Now original
sys_open is called first, then daemons are consulted and if daemons want to
deny file access, original sys_close is called.

This patch has been well tested on several SuSE, Red Hat, Mandrake and Ubuntu
systems, also with multi-cpu hardware.

Sami Tikka
F-Secure Corporation

reply via email to

[Prev in Thread] Current Thread [Next in Thread]