Hello! I have uploaded to savannah the patch that adds syscall hooking as an alternative method to intercept file accesses on Linux 2.6. http://savannah.nongnu.org/patch/?func=detailitem&item_id=4952
This makes it possible to easily install dazuko on distributions that come with a kernel where capability is compiled built-in. This patch also enables DAZUKO_ON_CLOSE events which cannot be obtained with the LSM callbacks. The patch is against dazuko-2.1.1-pre2. Let me know if it does not apply cleanly to the latest dazuko version. Apply the patch, then run ./configure --enable-syscalls I should warn you that there is a bit of a kludge in sys_execve hook. I could not implement the hook any other way than it was done in dazuko_linux.c. Unfortunately one of those functions is no longer exported and I had to resort to some ugliness to be able to call it. The address of the non-exported function is looked up from System.map file by the configure script. It searches for the System.map from several standard locations. In case your System.map is not in a standard location, it can be given with --mapfile option to configure. There are some other, related, changes that I should explain: 1) sys_dup is no longer hooked. I did not see the point. It was generating extra DAZUKO_ON_OPEN events when no file was actually being opened. At least from an anti-virus scanner point-of-view it does not make sense to rescan a file while it has already been opened by the same process. 2) sys_dup2 also no longer generates DAZUKO_ON_OPEN events, but still generates DAZUKO_ON_CLOSE events when the new file descriptor is closed. 3) sys_creat is hooked because it opens a new file. 4) internals of sys_open was changed. Originally dazuko asked permission from daemons before calling original sys_open. This resulted made it difficult to lookup the filename for new files because the file did not yet exist. Also, the inode information for the new file was not available. Now original sys_open is called first, then daemons are consulted and if daemons want to deny file access, original sys_close is called. This patch has been well tested on several SuSE, Red Hat, Mandrake and Ubuntu systems, also with multi-cpu hardware. -- Sami Tikka F-Secure Corporation BE SURE. _______________________________________________ Dazuko-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/dazuko-devel
