[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dazuko-devel] [PATCH] Syscall hooking for Linux 2.6 available
From: |
tvrtko . ursulin |
Subject: |
Re: [Dazuko-devel] [PATCH] Syscall hooking for Linux 2.6 available |
Date: |
Mon, 6 Mar 2006 09:30:14 +0000 |
Hi Sami,
> This makes it possible to easily install dazuko on distributions that
come
> with a kernel where capability is compiled built-in. This patch also
enables
> DAZUKO_ON_CLOSE events which cannot be obtained with the LSM callbacks.
I am looking at linux26_syscall_hook.patch and can't find the bit which
actually hooks into the syscall table? It is just from curiosity, to see
in what ways can it be done. Are you handling 32-bit syscalls on 64-bit
kernels? Because it is an additional syscall table.
> 3) sys_creat is hooked because it opens a new file.
Do we care about that from an AV point of view?
> 4) internals of sys_open was changed. Originally dazuko asked permission
from
> daemons before calling original sys_open. This resulted made it
difficult to
> lookup the filename for new files because the file did not yet exist.
Also,
> the inode information for the new file was not available. Now original
> sys_open is called first, then daemons are consulted and if daemons want
to
> deny file access, original sys_close is called.
Exactly the same as Talpa does it. :) When using syscall interceptor that
is.