On Thu, Mar 14, 2002 at 01:19:20AM +0100, petter wahlman wrote: >> [syscall hijacking] > Yes, I know, but sadly there is no way to prevent using such a hack in > my case (I am developing a filesystem independent on-access AV driver), > so any suggestions to the previously mentioned problems are grately > apreciated. Document that someone loading your module should ensure that no other modules which perform syscall hijacking are loaded. I suppose you could also hijack the create_module(2), init_module(2), remove_module(2) syscalls to prevent anyone else from modifying the table after your module is loaded, and pray that any previous modules disable loading further modules if they also modify the syscall table. Hey! That is two suggestions: Document and Pray. :) -- http://sardonix.org/
Attachment:
pgp00044.pgp
Description: PGP signature
