Daniel Borkmann <dan...@iogearbox.net> wrote:
> As rule translation can potentially become very complex, this is performed
> entirely in user space. In order to ease deployment, request_module() code
> is extended to allow user mode helpers to be invoked. Idea is that user mode
> helpers are built as part of the kernel build and installed as traditional
> kernel modules with .ko file extension into distro specified location,
> such that from a distribution point of view, they are no different than
> regular kernel modules. Thus, allow request_module() logic to load such
> user mode helper (umh) binaries via:
>
> request_module("foo") ->
> call_umh("modprobe foo") ->
> sys_finit_module(FD of /lib/modules/.../foo.ko) ->
> call_umh(struct file)
>
> Such approach enables kernel to delegate functionality traditionally done
> by kernel modules into user space processes (either root or !root)
Unrelated: AFAIU this would allow to e.g. move the compat32 handlers
(which are very ugly/error prone) off to userspace?
compat_syscall -> umh_32_64_xlate -> syscall() ?
[ feel free to move this to different thread, only mentioning this
so I won't forget ]
