On Tue, Jun 16, 2009 at 6:07 PM, Shaz <shazal...@gmail.com> wrote: > > Hooks have nothing to do with sys_call_table. These hooks are call back > functions (pointer to functions). If you read the LSM paper that is provided > as a reference in an earlier message in the thread then it has details. If > you study the kernel code (one of the security.h) it has very clear > definitions. These hooks can be studied via any online linux cross reference > tools. Look into the the code that calls them. They are mostly read and > write system calls and no effect on sys call table! >
I'm sorry, but "to hook the kernel" was the best way I could find to explain my problem. I had a solution to stopping read/write/mount and it involved modifying the sys_call_table(which was not the way to go). I was looking for another solution. LSM looks like the winner, although I'm not really sure if I can't use *kprobes* for this. > > You can even have a look at Linux Integrity Module or simply the > refurnished Integrity Measurement Architecture that implements its own > integrity hooks. LIM has fewer hooks so it can be a better case study then > LSM based SELinux, SMACK and Tomyo. > I will look at it. thx. > > Interceptions at library level is not safe and clear, although messing with > the kernel is also not appreciated. It took IBM more than 5 years to get LIM > accepted in the kernel :) Depends on your requirements and objectives. > I agree. Marius