Re: [Dazuko-devel] [PATCH] Syscall hooking for Linux 2.6 available

[tvrtko . ursulin]

Hi Sami,

> This makes it possible to easily install dazuko on distributions that 
come
> with a kernel where capability is compiled built-in. This patch also 
enables
> DAZUKO_ON_CLOSE events which cannot be obtained with the LSM callbacks.

I am looking at linux26_syscall_hook.patch and can't find the bit which 
actually hooks into the syscall table? It is just from curiosity, to see 
in what ways can it be done. Are you handling 32-bit syscalls on 64-bit 
kernels? Because it is an additional syscall table.
 
> 3) sys_creat is hooked because it opens a new file.

Do we care about that from an AV point of view?
 
> 4) internals of sys_open was changed. Originally dazuko asked permission 
from
> daemons before calling original sys_open. This resulted made it 
difficult to
> lookup the filename for new files because the file did not yet exist. 
Also,
> the inode information for the new file was not available. Now original
> sys_open is called first, then daemons are consulted and if daemons want 
to
> deny file access, original sys_close is called.

Exactly the same as Talpa does it. :) When using syscall interceptor that 
is.