I was working with a similar issue a couple of weeks ago. Check the archives for some of the advice I was given.
Just to recap: I wanted to catch all the open, read, and write system calls and perform some operations before the file actually got handed back from the kernel. In the past, it has been very easy to overload system calls in a loadable kernel module by just getting a pointer to, say, the read() system call and replacing it with a pointer to my_read(). Pointers to various system calls could be obtained by simply calling export sys_call_table() in your module. Redhat (in v2.4 kernels) and Linus (in v2.6 kernels) have decided that this is too much of a security hole. It allows script kiddies to sit on your box undetected by running their evil behind the authority of the kernel. You can no longer export the system call table.
The moral of the story is that I have been struggling with this problem for a while, and as of yet there is not a good solution. File locks do not send signals to the locking process. The new LSM is ugly, and it totally unclear as to how to get this sort of thing done under the LSM framework. As far as I can tell, you simply cant interpose code between the user and the kernel any more. Is this good? In our new securitarian society the consensus seems to be yes.
Good luck,
Brian Rossa Dept. of Cognitive & Neural Systems Boston University
Srinivas Vedula wrote:
Hello,
I am trying to write a transparent interface to some encrypted files so that the user does not notice that the files are stored encrypted. All the files are encrypted using the same key and algorithm.
As a quick hack I thought of catching the necessary system calls ( like open, read, write) do the necessary encryption, decryption and return the data to the user. This will work with write as the processing is done before calling the system call. But with read the processing has to be done after the system call completes. This can be may be done by changing the way system calls are returned in entry.S. But I am not sure how to do this.
Could some one suggest if this is a good way to proceed or if there is a better solution to this. I do not want to use an encrypted filesystem because the files are very few and part of different directories.
Thanks, Srinivas
_________________________________________________________________
Shop online for kids’ toys by age group, price range, and toy category at MSN Shopping. No waiting for a clerk to help you! http://shopping.msn.com
-- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
-- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
