2002-10-21 17:37:13

by Henrý Þór Baldursson

[permalink] [raw]
Subject: System call wrapping


Dear sirs,
I work for FRISK Software International. We are an Antivirus company.
Our product is the F-Prot Antivirus scanner.

We have started to port our application to the Linux platform in an
effort to provide system administrators with means to scan the content
they supply their workstations with via Linux servers.
In our Windows product we have something called "Realtime protector"
which monitors file access on Windows running machines and scans them
before allowing access.

We now want, due to customer demand, to supply our Linux users with
similar functionality, and we've created a 2.4.x kernel module which
wrapped the open system call by means of overwriting
sys_call_table[__NR_open]. We did realize that this is a bad idea if a
user loads another module doing the same, and then unloads in the wrong
order. And also that this is not a very pretty method. But it worked.

Apparently, this is something you kernel hackers don't approve of, since
you've recently removed EXPORT_SYMBOL(sys_call_table) from
kernel/ksyms.c - so my question is whether there is some other preferred
method for accomplishing this without forcing the user to patch and
compile a new kernel. Is there some API for wrapping system calls which
I am unaware of, or are there plans to provide one?

Best regards,

Henr? ??r Baldursson, Linux Developer
FRISK Software International
http://www.f-prot.com
http://aves.f-prot.com



Attachments:
signature.asc (189.00 B)
This is a digitally signed message part

2002-10-21 17:50:19

by Alan

[permalink] [raw]
Subject: Re: System call wrapping

On Mon, 2002-10-21 at 18:42, Henr? ??r Baldursson wrote:
> In our Windows product we have something called "Realtime protector"
> which monitors file access on Windows running machines and scans them
> before allowing access.

So what you want to do is get notification of new file creations ?

> sys_call_table[__NR_open]. We did realize that this is a bad idea if a
> user loads another module doing the same, and then unloads in the wrong
> order. And also that this is not a very pretty method. But it worked.

Its also useless because I can switch paths around under your analyser
and fool you into missing things. Wrappers dont work, its also why snare
is so limited in value for example.

There are interfaces for monitoring directories for new file creations -
using things like dnotify from user space. They may be sufficient, but
if not the right question is "how do we make a real solution work" not
how do we hack half working tricks into syscall entry points.

> compile a new kernel. Is there some API for wrapping system calls which
> I am unaware of, or are there plans to provide one?

In general there isnt, nor should there need to be.


2002-10-21 18:10:39

by Miquel van Smoorenburg

[permalink] [raw]
Subject: Re: System call wrapping

In article <1035222121.1063.20.camel@pc177>,
Henr? ??r Baldursson <[email protected]> wrote:
>In our Windows product we have something called "Realtime protector"
>which monitors file access on Windows running machines and scans them
>before allowing access.
>
>We now want, due to customer demand, to supply our Linux users with
>similar functionality, and we've created a 2.4.x kernel module which
>wrapped the open system call by means of overwriting
>sys_call_table[__NR_open].

What is wrong with a preloaded library (by means of /etc/ld.so.preload)
that intercepts open at the library level (and calls the real open()
using RLTD_NEXT) ? Just let it talk over a unix socket to your
scanner server.

Mike.

2002-10-21 18:22:15

by Karim Yaghmour

[permalink] [raw]
Subject: Re: System call wrapping


Miquel van Smoorenburg wrote:
> In article <1035222121.1063.20.camel@pc177>,
> Henr? ??r Baldursson <[email protected]> wrote:
> >In our Windows product we have something called "Realtime protector"
> >which monitors file access on Windows running machines and scans them
> >before allowing access.
> >
> >We now want, due to customer demand, to supply our Linux users with
> >similar functionality, and we've created a 2.4.x kernel module which
> >wrapped the open system call by means of overwriting
> >sys_call_table[__NR_open].
>
> What is wrong with a preloaded library (by means of /etc/ld.so.preload)
> that intercepts open at the library level (and calls the real open()
> using RLTD_NEXT) ? Just let it talk over a unix socket to your
> scanner server.

Jacques Gelinas already has something that does precisely that:
http://www.solucorp.qc.ca/virtualfs/

I don't know if it's still being updated, but the ideas are all there.

Karim

===================================================
Karim Yaghmour
[email protected]
Embedded and Real-Time Linux Expert
===================================================

2002-10-21 20:09:03

by Rik van Riel

[permalink] [raw]
Subject: Re: System call wrapping

On 21 Oct 2002, Henr? ??r Baldursson wrote:

> Apparently, this is something you kernel hackers don't approve of, since
> you've recently removed EXPORT_SYMBOL(sys_call_table) from
> kernel/ksyms.c - so my question is whether there is some other preferred
> method for accomplishing this without forcing the user to patch and
> compile a new kernel. Is there some API for wrapping system calls which
> I am unaware of, or are there plans to provide one?

Maybe you could use the Linux Security Module hooks for
open() and exec() to pass a request to your virus scan
software ?

Note that this kernel module needs to be GPL, due to the
fact that it's a derived work of the kernel itself. This
only applies to the kernel module that asks the virus
scanner to check the files for virusses, not necessarily
the virus scanner itself.

Rik
--
Bravely reimplemented by the knights who say "NIH".
http://www.surriel.com/ http://distro.conectiva.com/
Current spamtrap: <a href=mailto:"[email protected]">[email protected]</a>

2002-10-21 20:27:09

by Lucio Maciel

[permalink] [raw]
Subject: Re: System call wrapping

On Mon, 2002-10-21 at 17:14, Rik van Riel wrote:
>
> Maybe you could use the Linux Security Module hooks for
> open() and exec() to pass a request to your virus scan
> software ?
>
> Note that this kernel module needs to be GPL, due to the
> fact that it's a derived work of the kernel itself. This
> only applies to the kernel module that asks the virus
> scanner to check the files for virusses, not necessarily
> the virus scanner itself.
>
> Rik
> --
Hello...

Where can i find some information or documentation about this ????

thanks
--
::: Lucio F. Maciel
::: [email protected]
::: icq 93065464
::: Absoluta.net

2002-10-22 00:55:52

by jw schultz

[permalink] [raw]
Subject: Re: System call wrapping

On Mon, Oct 21, 2002 at 06:14:48PM -0200, Rik van Riel wrote:
> Maybe you could use the Linux Security Module hooks for
> open() and exec() to pass a request to your virus scan
> software ?
>
> Note that this kernel module needs to be GPL, due to the
> fact that it's a derived work of the kernel itself. This
> only applies to the kernel module that asks the virus
> scanner to check the files for virusses, not necessarily
> the virus scanner itself.

Even _if_ Rik is overstating this (I'm inclined to agree
with him). You will have an issue with kernel tainting.

If you don't make your module GPL compatible then your users
will have to look to you for kernel support. And you can
argue with nvidia about which of you supports the shared
customers. Or you can tell your customers you don't support
them if they use any other modules that are on the same
license terms as your own.

I enjoy the idea that installing a virus scanner will TAINT
the kernel.

--
________________________________________________________________
J.W. Schultz Pegasystems Technologies
email address: [email protected]

Remember Cernan and Schmitt

2002-10-22 05:14:16

by Greg KH

[permalink] [raw]
Subject: Re: System call wrapping

On Mon, Oct 21, 2002 at 05:33:14PM -0300, Lucio Maciel wrote:
> On Mon, 2002-10-21 at 17:14, Rik van Riel wrote:
> >
> > Maybe you could use the Linux Security Module hooks for
> > open() and exec() to pass a request to your virus scan
> > software ?
> >
> > Note that this kernel module needs to be GPL, due to the
> > fact that it's a derived work of the kernel itself. This
> > only applies to the kernel module that asks the virus
> > scanner to check the files for virusses, not necessarily
> > the virus scanner itself.
> >
> > Rik
> > --
> Hello...
>
> Where can i find some information or documentation about this ????

lsm.immunix.org, or look in the Documentation/DocBook/lsm.* file

greg k-h

2002-10-22 13:56:36

by Rogier Wolff

[permalink] [raw]
Subject: Re: System call wrapping

On Mon, Oct 21, 2002 at 06:16:10PM +0000, Miquel van Smoorenburg wrote:
> What is wrong with a preloaded library (by means of /etc/ld.so.preload)
> that intercepts open at the library level (and calls the real open()
> using RLTD_NEXT) ? Just let it talk over a unix socket to your
> scanner server.

Because you want to intercept ALL "open" system calls, not just those
of "friendly" users who agree to set LD_PRELOAD.

Roger.

--
** [email protected] ** http://www.BitWizard.nl/ ** +31-15-2600998 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* The Worlds Ecosystem is a stable system. Stable systems may experience *
* excursions from the stable situation. We are currenyly in such an *
* excursion: The stable situation does not include humans. ***************