On Tue, Jun 16, 2009 at 3:42 PM, Sandu Popa Marius <sandupopamarius@xxxxxxxxx> wrote:
Hooks have nothing to do with sys_call_table. These hooks are call back functions (pointer to functions). If you read the LSM paper that is provided as a reference in an earlier message in the thread then it has details. If you study the kernel code (one of the security.h) it has very clear definitions. These hooks can be studied via any online linux cross reference tools. Look into the the code that calls them. They are mostly read and write system calls and no effect on sys call table!
You can even have a look at Linux Integrity Module or simply the refurnished Integrity Measurement Architecture that implements its own integrity hooks. LIM has fewer hooks so it can be a better case study then LSM based SELinux, SMACK and Tomyo.
Interceptions at library level is not safe and clear, although messing with the kernel is also not appreciated. It took IBM more than 5 years to get LIM accepted in the kernel :) Depends on your requirements and objectives.
Is there a way the hook Linux kernel without modifying the sys_call_table?This should actually be:Is there a way to hook the Linux kernel without modifying the sys_call_table?
Hooks have nothing to do with sys_call_table. These hooks are call back functions (pointer to functions). If you read the LSM paper that is provided as a reference in an earlier message in the thread then it has details. If you study the kernel code (one of the security.h) it has very clear definitions. These hooks can be studied via any online linux cross reference tools. Look into the the code that calls them. They are mostly read and write system calls and no effect on sys call table!
You can even have a look at Linux Integrity Module or simply the refurnished Integrity Measurement Architecture that implements its own integrity hooks. LIM has fewer hooks so it can be a better case study then LSM based SELinux, SMACK and Tomyo.
Interceptions at library level is not safe and clear, although messing with the kernel is also not appreciated. It took IBM more than 5 years to get LIM accepted in the kernel :) Depends on your requirements and objectives.
Sorry for the brain trauma :).
No problem because we all suffer the same trauma :)
Marius
--
Shaz
