On Thu, 2002-03-14 at 01:43, Seth Arnold wrote: > On Thu, Mar 14, 2002 at 01:19:20AM +0100, petter wahlman wrote: > >> [syscall hijacking] > > Yes, I know, but sadly there is no way to prevent using such a hack in > > my case (I am developing a filesystem independent on-access AV driver), > > so any suggestions to the previously mentioned problems are grately > > apreciated. > > Document that someone loading your module should ensure that no other > modules which perform syscall hijacking are loaded. > ...or worse, will be loaded. Sadly i can't expect users of my driver to understand such issues. > I suppose you could also hijack the create_module(2), init_module(2), > remove_module(2) syscalls to prevent anyone else from modifying the > table after your module is loaded, and pray that any previous modules > disable loading further modules if they also modify the syscall table. I do not see how I can prevent someone from hooking a syscall with this approach - exept for disallowing loading of modules, wich is a little bit drastic ;). I suppose a nice feature would be a run-time UNEXPORT_SYMBOL(sys_call_table). > > Hey! That is two suggestions: Yes, and they were much appreciated :) > Document and Pray. > > :) > > -- > http://sardonix.org/ -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
