[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dazuko-devel] 2.6.27 kernels
|
From: |
Frantisek Hrbata |
|
Subject: |
Re: [Dazuko-devel] 2.6.27 kernels |
|
Date: |
Thu, 28 Aug 2008 17:34:39 +0200 |
On Thu, 28 Aug 2008 17:10:59 +0300
Sami Tikka <address@hidden> wrote:
>
> Frantisek Hrbata kirjoitti 27.8.2008 kello 16.40:
>
> > 3) Dazuko uses open instead of permission function.
> > This has one side effect. Dazuko is not able to
> > distinguish open and exec events. Anyway exec events
> > are send as open events.
>
> Is it necessary to lose the ability to tell the difference between
> open and exec?
In this quick solution as I posted it, dazuko is using open instead of
permission. In the open function it is not possible to find out if
a file is opened for execution or not. But as I wrote, this is a quick
hack for now. I guess there will be discussion after John will be
back from his vacation.
IMHO it would be better for dazuko to move from the path based scanning to
file injection(open file directly in kernel and add it to scanning process fdt).
Is there any particular reason to distinguish between open/exec in the on-access
scanning besides logs or some other output?