Hi Sami, > This makes it possible to easily install dazuko on distributions that come > with a kernel where capability is compiled built-in. This patch also enables > DAZUKO_ON_CLOSE events which cannot be obtained with the LSM callbacks.
I am looking at linux26_syscall_hook.patch and can't find the bit which actually hooks into the syscall table? It is just from curiosity, to see in what ways can it be done. Are you handling 32-bit syscalls on 64-bit kernels? Because it is an additional syscall table. > 3) sys_creat is hooked because it opens a new file. Do we care about that from an AV point of view? > 4) internals of sys_open was changed. Originally dazuko asked permission from > daemons before calling original sys_open. This resulted made it difficult to > lookup the filename for new files because the file did not yet exist. Also, > the inode information for the new file was not available. Now original > sys_open is called first, then daemons are consulted and if daemons want to > deny file access, original sys_close is called. Exactly the same as Talpa does it. :) When using syscall interceptor that is. _______________________________________________ Dazuko-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/dazuko-devel
