[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: trapping execve()

To: Sridhar N <srin@symonds.net>
Subject: Re: trapping execve()
From: John Levon <movement@marcelothewonderpenguin.com>
Date: Wed, 29 May 2002 12:12:12 +0100
Cc: "Mailing List:Kernel Newbies" <kernelnewbies@nl.linux.org>
In-Reply-To: <200205290223.g4T2NTNu012973@srin.homelinux.net>
List-archive: <http://mail.nl.linux.org/kernelnewbies/>
List-help: <mailto:listar@nl.linux.org?Subject=help>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:kernelnewbies@nl.linux.org>
List-software: Listar version 1.0.0
List-subscribe: <mailto:kernelnewbies-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:kernelnewbies-request@nl.linux.org?Subject=unsubscribe>
Original-Recipient: rfc822;kernelnewbies-archive@nl.linux.org
References: <200205100121.g4A1LXqQ002002@srin.homelinux.net> <200205222142.g4MLgoYS002822@srin.homelinux.net> <20020522230725.GA73734@compsoc.man.ac.uk> <200205290223.g4T2NTNu012973@srin.homelinux.net>
Sender: kernelnewbies-bounce@nl.linux.org
User-Agent: Mutt/1.3.25i

On Wed, May 29, 2002 at 07:22:46AM +0530, Sridhar N wrote:

> ok, I get your point.  Well, assuming what you've given is general to all 
> syscalls, is it possible to insmod the module once, with a enable/disable 
> flag, so that when the IDS is to be switched on, i just enable the flag to 
> enable filtering. And instead of removing the module, I just reset the flag.  
> Of course, *all* syscalls *all* the time, have to go through my code, even if 
> the IDS is off. That is an overhead and a drawback, but atleast I *think* 
> that should be safe.  Are my assumptions right ?

Actually things are slightly better than that. You can still switch back
to the old system call pointers in the table, it's just you can never be
*completely sure* that you can unload the module.

> It would be pretty ironic if an IDS screws up the file systems or anything 
> else on the machine. I just can't take chances, can I ?

Indeed

regards
john

-- 
"Time is a great teacher, but unfortunately it kills all its pupils."
	- Hector Louis Berlioz 
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/

Follow-Ups:
- Re: trapping execve()
  - From: Muli Ben-Yehuda <mulix@actcom.co.il>

References:
- trapping execve()
  - From: Sridhar N <srin@symonds.net>
- Re: trapping execve()
  - From: Sridhar N <srin@symonds.net>
- Re: trapping execve()
  - From: John Levon <movement@marcelothewonderpenguin.com>
- Re: trapping execve()
  - From: Sridhar N <srin@symonds.net>

Prev by Date: RE: Pid lkm
Next by Date: Re: trapping execve()
Prev by thread: Re: trapping execve()
Next by thread: Re: trapping execve()
Index(es):
- Date
- Thread