[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dazuko-devel] [PATCH] Syscall hooking for Linux 2.6 available

From: tvrtko . ursulin
Subject: Re: [Dazuko-devel] [PATCH] Syscall hooking for Linux 2.6 available
Date: Mon, 6 Mar 2006 09:30:14 +0000

Hi Sami,

> This makes it possible to easily install dazuko on distributions that 
> with a kernel where capability is compiled built-in. This patch also 
> DAZUKO_ON_CLOSE events which cannot be obtained with the LSM callbacks.

I am looking at linux26_syscall_hook.patch and can't find the bit which 
actually hooks into the syscall table? It is just from curiosity, to see 
in what ways can it be done. Are you handling 32-bit syscalls on 64-bit 
kernels? Because it is an additional syscall table.
> 3) sys_creat is hooked because it opens a new file.

Do we care about that from an AV point of view?
> 4) internals of sys_open was changed. Originally dazuko asked permission 
> daemons before calling original sys_open. This resulted made it 
difficult to
> lookup the filename for new files because the file did not yet exist. 
> the inode information for the new file was not available. Now original
> sys_open is called first, then daemons are consulted and if daemons want 
> deny file access, original sys_close is called.

Exactly the same as Talpa does it. :) When using syscall interceptor that 

reply via email to

[Prev in Thread] Current Thread [Next in Thread]