On Thursday 23 May 2002 04:37 am, John Levon wrote: > On Thu, May 23, 2002 at 03:12:50AM +0530, Sridhar N wrote: > > 1) why isn't modifying syscalltable safe under module unloading ? > > Now consider what happens if a process is sleeping in > old_sys_init_module somewhere (i.e. sleeping in the kernel), and > somebody does a rmmod. This code (my_sys_init_module) is unmapped. Now > the process wakes up and tries to return to "some code" above. > Unfortunately, at this point the vfat module has been autoloaded and > /its/ code is now taking up this space. You just trashed your windows > partition. ok, I get your point. Well, assuming what you've given is general to all syscalls, is it possible to insmod the module once, with a enable/disable flag, so that when the IDS is to be switched on, i just enable the flag to enable filtering. And instead of removing the module, I just reset the flag. Of course, *all* syscalls *all* the time, have to go through my code, even if the IDS is off. That is an overhead and a drawback, but atleast I *think* that should be safe. Are my assumptions right ? > [1] in fact my tests have /never/ caused this race in this manner, but > that's not the point It would be pretty ironic if an IDS screws up the file systems or anything else on the machine. I just can't take chances, can I ? regards Sridhar -- Anyone can do any amount of work provided it isn't the work he is supposed to be doing -- Murphy's Laws on Work -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
