Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S264107AbTEGRyx (ORCPT ); Wed, 7 May 2003 13:54:53 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S264108AbTEGRyw (ORCPT ); Wed, 7 May 2003 13:54:52 -0400 Received: from s-smtp-osl-01.bluecom.no ([62.101.193.35]:7907 "EHLO s-smtp-osl-01.bluecom.no") by vger.kernel.org with ESMTP id S264107AbTEGRyv (ORCPT ); Wed, 7 May 2003 13:54:51 -0400 Subject: Re: The disappearing sys_call_table export. From: petter wahlman To: root@chaos.analogic.com Cc: Linux kernel In-Reply-To: References: <1052321673.3727.737.camel@badeip> <1052323711.3739.750.camel@badeip> Content-Type: text/plain Organization: Message-Id: <1052330844.3739.840.camel@badeip> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 Date: 07 May 2003 20:07:25 +0200 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1585 Lines: 47 On Wed, 2003-05-07 at 18:59, Richard B. Johnson wrote: > On Wed, 7 May 2003, petter wahlman wrote: > > > On Wed, 2003-05-07 at 18:00, Richard B. Johnson wrote: > > > On Wed, 7 May 2003, petter wahlman wrote: > > > > > > > > > > > It seems like nobody belives that there are any technically valid > > > > reasons for hooking system calls, but how should e.g anti virus > > > > on-access scanners intercept syscalls? > > > > Preloading libraries, ptracing init, patching g/libc, etc. are > > > ^^^^^^^^^^^^^^^^^^^ > > > |________ Is the way to go. That's how > > > you communicate every system-call to a user-mode daemon that > > > does whatever you want it to do, including phoning the National > > > Security Administrator if that's the policy. > > > > > > > obviously not the way to go. > > > > > > > > > > Oviously wrong. > > > > > > And how would you force the virus to preload this library? > > > > -p. > > > > The same way you would force a virus to not be statically linked. > You make sure that only programs that interface with the kernel > thorugh your hooks can run on that particular system. > Can you please elaborate. How would you implement the access control without modifying the respective syscalls or the system_call(), and would you'r solution be possible to implement run time? Regards, -p. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/