If you are running TrendMicro ServerProtect for Linux on a machine and real-time scanning is turned on, AFS will no longer start. The reason has to do with the sym table look ups that AFS does. In real-time scanning SPLX will mediate sys_table calls, but AFS circumvents that and gets lost. I know that in the long-run the sys_table calls will vanish from the AFS code, so I don't know if it's worth to do anything about it. Anyway, here is the response that we got from TrendMicro about their investigation on the problem:
*** This email is automatically generated by the PSP 5.0 system. ***
*** PLEASE DO NOT REPLY TO THIS E-MAIL. ***
Hi Eric,
Here are the updates. In short > "I think it's openafs need to modify its
way to hook". Ok to close?
---------------------
<rudy 9/14/04 8:34AM PST>Hi Jeff, can you pleas send IBM our results.
Please let them know that we will probably recommend they first start afs
and then splx as previously mentioned. Thanks.
//allen 2004/9/10
seems not possible.
The problem is that openafs want the original sys_call_table to hooking,
if the sys_call_table has been modified, openafs will not be able to
recognize it, so hooking fail...
But if we want to provide realtime scanning, we must modify the
sys_call_table!!
I think it's openafs need to modify its way to hook, or it may conflict
with other software that modify sys_call_table..
hook functions and therefore openafs doesn't find an appropriate return
value to hook file system. From SPLX standpoint is there any way we can
change the way we modify sys_call_table[__NR_exi] so that openafs can hook
the file system? If there isn't any way for a change in the SPLX code then
I will recommend the workaround. Also, do you know if openafs makes this
call only once at startup or will the call be made multiple times during
system operation? Thanks.
//allen 2004/9/8
Have found out a possible cause!!
the following is the code of openafs related to sys_call_table address
finding:
//////////////////////////
ptr=(unsigned long *)&init_mm;
datalen=16384;
for (offset=0;offset <datalen;ptr++,offset++) {
if (ptr[0] == (unsigned long)&sys_exit && ptr[__NR_open - __NR_exit] ==
(unsigned long)&sys_open) {
sys_call_table=ptr - __NR_exit;
break;
}
}
if (!sys_call_table) {
printf("Failed to find address of sys_call_table\n"); return -EIO;
}
///////////////////////////////////
and the sys_call number for RHEL 3 is listed below.
__NR_exit 1
__NR_fork 2
__NR_read 3
__NR_write 4
__NR_open 5
__NR_close 6
:
:
For openafs, it will try to search in the memory to get a position that
ptr[0] contains address of sys_exit and ptr[__NR_open - __NR_exit]
contains address of sys_open.
If it is found, openafs will take this position as the address of
sys_call_table[__NR_exit]!! Then start address of sys_call_table can be
found out..
But our splx will mediate sys_call_table, replace the address stored in
sys_call_table[__NR_exit] and sys_call_table[__NR_open] with our
self-define hook functions.. So openafs cannot find what it suppose to
find.... And then cant get sys_call_table address...
So,The conflict only happen when realtime scan is on(the KHM will hook
sys_call only when realtime scan function is turn on)!! if realtime scan
is off, there will be no conflict to start openafs even we turn on splx
and splxmod.o is inserted!!
I think IBM could start openafs when realtime scan is close or even before
splx is installed!
Thank you,
Jeffrey Burge
----------------------------------------------------------------------
Dr. Frank Bagehorn
Manager Workstation & Server ZRL IS
IBM Zurich Research Lab.
Saeumerstr. 4
CH-8803 Rueschlikon
Switzerland
----------------------------------------------------------------------
SMTP: [EMAIL PROTECTED]
Notes: Frank Bagehorn/Zurich/[EMAIL PROTECTED]
phone: ++41 (01) 724 83 23 fax: ++41 (01) 724 89 59
smime.p7s
Description: S/MIME Cryptographic Signature
