Re: intercepting syscalls

From: Randy.Dunlap
Date: Mon Apr 18 2005 - 10:20:52 EST

Next message: Vinay K Nallamothu: "[PATCH][2.6.12-rc2] __attribute__ placement"
Previous message: Jason Baietto: "nonlinear timeslice gap?"
In reply to: Terje Malmedal: "Re: intercepting syscalls"
Next in thread: Igor Shmukler: "Re: intercepting syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 18 Apr 2005 10:48:03 -0400 Igor Shmukler wrote:

| Rik, (and everyone),
|
| Everything is IMHO only.
|
| It all boils down to whether:
| 1. it is hard to correctly implement such LKM so that it can be safely
| loaded and unloaded and when these modules are combined they may not
| work together until there is an interoperability workshop (like the
| one networking folks do).
| 2. it's not possible to do this right, hence no point to allow this in
| a first place.
|
| I am not a Linux expert by a long-shot, but on many other Unices it's
| being done and works. I am only asking because I am involved with a
| Linux port.
|
| I think if consensus is on choice one, then hiding the table is a
| mistake. We should not just close abusable interfaces. Rootkits do
| not need these, and if someone makes poor software we do not have to
| install it.
|
| Intercepting system call table is an elegant way to solve many
| problems. Any driver software has to be developed by expert
| programmers and can cause all the problems imaginable if it was not
| down right.
|
| Again, it's all IMHO. Nobody has to agree.

And 'nobody' has submitted patches that handle all of the described
problems...

1. racy
2. architecture-independent
3. stackable (implies/includes unstackable :)

You won't get very far in this discussion without some code...

| Igor
|
| On 4/18/05, Rik van Riel <riel@xxxxxxxxxx> wrote:
| > On Fri, 15 Apr 2005, Igor Shmukler wrote:
| >
| > > Thank you very much. I will check this out.
| > > A thanks to everyone else who contributed. I would still love to know
| > > why this is a bad idea.
| >
| > Because there is no safe way in which you could have multiple
| > of these modules loaded simultaneously - say one security
| > module and AFS. There is an SMP race during the installing
| > of the hooks, and the modules can still wreak havoc if they
| > get unloaded in the wrong order...
| >
| > There just isn't a good way to hook into the syscall table.

---
~Randy
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vinay K Nallamothu: "[PATCH][2.6.12-rc2] __attribute__ placement"
Previous message: Jason Baietto: "nonlinear timeslice gap?"
In reply to: Terje Malmedal: "Re: intercepting syscalls"
Next in thread: Igor Shmukler: "Re: intercepting syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]