On 2008-02-12, <[EMAIL PROTECTED]> wrote: > Can you tell me what the options 'enable-syscalls', > 'mapfile=/boot/System.map-2.6.22-14-generic', > 'disable-local-dpath' and 'disable-chroot-support' do
"enable-syscalls" tells Dazuko to capture file access events by intercepting them from the system call table. This is how Dazuko captures events for FreeBSD and Linux 2.2/2.4. Linux 2.6 introduced a new interface (called LSM) that allowed Dazuko to capture file event information. By default Dazuko uses this interface for Linux 2.6. However, the interface changes frequently with each new Linux version (and distribution). For this reason (and several others), it is often difficult to compile Dazuko for Linux 2.6. Using the syscall method also has its difficulties with Linux 2.6. But it is hoped that either LSM or syscall hooking will work. "mapfile" specifies the "System.map" file, which contains a list of symbol addresses within the kernel. Dazuko needs this information to locate the system call table. "disable-local-dpath" A kernel function __d_path() is used to determine the full path for files that are accessed. This function is typically not available to kernel modules, so Dazuko brings its own "local" copy to use. However, the local copy is not safe for SMP systems. "disable-local-dpath" tells Dazuko not to use its local copy, but instead expect that the built-in Linux version is available. "disable-chroot-support" Normally Dazuko will resolve full path names, even for files that are accessed in a chroot environment. In order to do this, Dazuko requires the __d_path() function. The "disable-chroot-support" tells Dazuko not to use the __d_path() function, but instead to use the commonly available d_path() function. The d_path() function does not allow Dazuko to retrieve the full path name for file events in a chroot environment. (This option was introduced as an alternative for systems where __d_path() was not available and the local __d_path would not work.) > and how does it affect the security of the system? The only issue is that events in a chroot environment will be shown with paths relative to that chroot environment. This means that the Dazuko-based application probably won't be able to identify which file was actually accessed. This could be a problem if you run software in a chroot environment and you want the file access events from that software to be monitored. > In your opinion, should I write a bug report to the Ubuntu > developers? The fact that you needed to manually change the code is a bug in Dazuko. That will be fixed for the next version. The fact that you must use these options for Ubuntu is not really an Ubuntu bug. It is more of a limitation in Dazuko. John Ogness -- Dazuko Maintainer _______________________________________________ Dazuko-help mailing list Dazuko-help@nongnu.org http://lists.nongnu.org/mailman/listinfo/dazuko-help
