> Whenever fopen("/etc/shadow", "r") is called, the tool would intercept
> it, run the verify() procedure, and return back to the syscall, allowing
> it to do it's job.
This sounds like an LSM, possibly with a component which communicates
with userspace, depending on how sophisticated "verify"
>> I am writing some software that monitors a guest VM using virtual-machine
>> introspection and "hijacks" system calls under certain conditions. For
>> example, the program might inject an int3/breakpoint into the guest
>> kernel at the entry point to sys_open. When the breakpoint is hit, the
>>
I am writing some software that monitors a guest VM using virtual-machine
introspection and "hijacks" system calls under certain conditions. For
example, the program might inject an int3/breakpoint into the guest
kernel at the entry point to sys_open. When the breakpoint is hit, the
program might
I am working on a system which will monitor the system calls serviced
by an operating system running inside a VM. All of the software runs
outside of the VM, and I wish to avoid modifying or installing software
inside of the VM. Imagine an external monitor observing
PID/syscall/syscall parameters
Within the kernel and given a struct file *, is it possible to enumerate
the tasks which have mmap/MAP_SHARED'ed the file? I have tried to use
find_get_pages/rmap_walk on the file's f_mapping field, but this does
not seem to work. I find the mapping's first page with find_get_pages,
but rmap_walk
Some colleagues and I have been working on SimpleFlow, a simple
information-flow-based security module for Linux. Our goal is to
investigate the feasibility of implementing such a security model on
top of LSM and to produce a prototype which is useful for education and
certain computer-security
Is it possible to walk the processes already attached to a shared page
in an implementation of security_shm_shmat()?
I have a function:
static int my_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
int shmflag)
and I would like to find the