On Tue, Jun 16, 2009 at 6:07 PM, Shaz <shazalive@xxxxxxxxx> wrote:
Hooks have nothing to do with sys_call_table. These hooks are call back functions (pointer to functions). If you read the LSM paper that is provided as a reference in an earlier message in the thread then it has details. If you study the kernel code (one of the security.h) it has very clear definitions. These hooks can be studied via any online linux cross reference tools. Look into the the code that calls them. They are mostly read and write system calls and no effect on sys call table!
I'm sorry, but "to hook the kernel" was the best way I could find to explain my problem. I had a solution to stopping read/write/mount and it involved modifying the sys_call_table(which was not the way to go). I was looking for another solution. LSM looks like the winner, although I'm not really sure if I can't use kprobes for this.
You can even have a look at Linux Integrity Module or simply the refurnished Integrity Measurement Architecture that implements its own integrity hooks. LIM has fewer hooks so it can be a better case study then LSM based SELinux, SMACK and Tomyo.
I will look at it. thx.
Interceptions at library level is not safe and clear, although messing with the kernel is also not appreciated. It took IBM more than 5 years to get LIM accepted in the kernel :) Depends on your requirements and objectives.
I agree.
Marius