[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: trapping execve()

To: John Levon <movement@marcelothewonderpenguin.com>
Subject: Re: trapping execve()
From: Sridhar N <srin@symonds.net>
Date: Wed, 29 May 2002 07:22:46 +0530
Cc: "Mailing List:Kernel Newbies" <kernelnewbies@nl.linux.org>
In-Reply-To: <20020522230725.GA73734@compsoc.man.ac.uk>
List-archive: <http://mail.nl.linux.org/kernelnewbies/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:kernelnewbies@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:kernelnewbies-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:kernelnewbies-request@nl.linux.org?Subject=unsubscribe>
Original-Recipient: rfc822;kernelnewbies-archive@nl.linux.org
References: <200205100121.g4A1LXqQ002002@srin.homelinux.net> <200205222142.g4MLgoYS002822@srin.homelinux.net> <20020522230725.GA73734@compsoc.man.ac.uk>
Sender: kernelnewbies-bounce@nl.linux.org

On Thursday 23 May 2002 04:37 am, John Levon wrote:
> On Thu, May 23, 2002 at 03:12:50AM +0530, Sridhar N wrote:
> > 1) why isn't modifying syscalltable safe under module unloading ?
>
> Now consider what happens if a process is sleeping in
> old_sys_init_module somewhere (i.e. sleeping in the kernel), and
> somebody does a rmmod. This code (my_sys_init_module) is unmapped. Now
> the process wakes up and tries to return to "some code" above.
> Unfortunately, at this point the vfat module has been autoloaded and
> /its/ code is now taking up this space. You just trashed your windows
> partition.

ok, I get your point.  Well, assuming what you've given is general to all 
syscalls, is it possible to insmod the module once, with a enable/disable 
flag, so that when the IDS is to be switched on, i just enable the flag to 
enable filtering. And instead of removing the module, I just reset the flag.  
Of course, *all* syscalls *all* the time, have to go through my code, even if 
the IDS is off. That is an overhead and a drawback, but atleast I *think* 
that should be safe.  Are my assumptions right ?

> [1] in fact my tests have /never/ caused this race in this manner, but
> that's not the point

It would be pretty ironic if an IDS screws up the file systems or anything 
else on the machine. I just can't take chances, can I ?

regards
Sridhar
-- 
Anyone can do any amount of work provided it isn't the work he is supposed to 
be doing
		-- Murphy's Laws on Work
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/

Follow-Ups:
- Re: trapping execve()
  - From: John Levon <movement@marcelothewonderpenguin.com>

References:
- trapping execve()
  - From: Sridhar N <srin@symonds.net>
- Re: trapping execve()
  - From: Sridhar N <srin@symonds.net>
- Re: trapping execve()
  - From: John Levon <movement@marcelothewonderpenguin.com>

Prev by Date: shared memory
Next by Date: Re: start address of linux kernel
Prev by thread: Re: trapping execve()
Next by thread: Re: trapping execve()
Index(es):
- Date
- Thread