Date: Wed, 7 May 2003 12:00:55 -0400 (EDT)
From: "Richard B. Johnson" <root@chaos.analogic.com>
Reply-To: root@chaos.analogic.com
To: petter wahlman <petter@bluezone.no>
cc: Linux kernel <linux-kernel@vger.kernel.org>
Subject: Re: The disappearing sys_call_table export.
In-Reply-To: <1052321673.3727.737.camel@badeip>
Message-ID: <Pine.LNX.4.53.0305071147510.12652@chaos>
References: <1052321673.3727.737.camel@badeip>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1265
Lines: 34

On Wed, 7 May 2003, petter wahlman wrote:

>
> It seems like nobody belives that there are any technically valid
> reasons for hooking system calls, but how should e.g anti virus
> on-access scanners intercept syscalls?
> Preloading libraries, ptracing init, patching g/libc, etc. are
  ^^^^^^^^^^^^^^^^^^^
                    |________  Is the way to go. That's how
you communicate every system-call to a user-mode daemon that
does whatever you want it to do, including phoning the National
Security Administrator if that's the policy.

> obviously not the way to go.
>

Oviously wrong.

Also, there are existing system calls that are not in use.
You can modify your copy of a kernel for whatever you want.
Example system calls that simply return -ENOSYS are
break, stty, gtty, prof, acct, lock, and mpx. That should
be enough entry-points to muck with.

Cheers,
Dick Johnson
Penguin : Linux version 2.4.20 on an i686 machine (797.90 BogoMips).
Why is the government concerned about the lunatic fringe? Think about it.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/