System call wrapping

System call wrapping

[Henrý Þór Baldursson]

[-- Attachment #1: Type: text/plain, Size: 1462 bytes --]


Dear sirs, 
I work for FRISK Software International. We are an Antivirus company.
Our product is the F-Prot Antivirus scanner. 

We have started to port our application to the Linux platform in an
effort to provide system administrators with means to scan the content
they supply their workstations with via Linux servers. 
In our Windows product we have something called "Realtime protector"
which monitors file access on Windows running machines and scans them
before allowing access. 

We now want, due to customer demand, to supply our Linux users with
similar functionality, and we've created a 2.4.x kernel module which
wrapped the open system call by means of overwriting
sys_call_table[__NR_open]. We did realize that this is a bad idea if a
user loads another module doing the same, and then unloads in the wrong
order. And also that this is not a very pretty method. But it worked. 

Apparently, this is something you kernel hackers don't approve of, since
you've recently removed EXPORT_SYMBOL(sys_call_table) from
kernel/ksyms.c - so my question is whether there is some other preferred
method for accomplishing this without forcing the user to patch and 
compile a new kernel.  Is there some API for wrapping system calls which
I am unaware of, or are there plans to provide one? 

Best regards, 

Henrý Þór Baldursson, Linux Developer 
FRISK Software International 
http://www.f-prot.com
http://aves.f-prot.com



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: System call wrapping

[Alan Cox]

On Mon, 2002-10-21 at 18:42, Henrý Þór Baldursson wrote:
> In our Windows product we have something called "Realtime protector"
> which monitors file access on Windows running machines and scans them
> before allowing access. 

So what you want to do is get notification of new file creations ?

> sys_call_table[__NR_open]. We did realize that this is a bad idea if a
> user loads another module doing the same, and then unloads in the wrong
> order. And also that this is not a very pretty method. But it worked. 

Its also useless because I can switch paths around under your analyser
and fool you into missing things. Wrappers dont work, its also why snare
is so limited in value for example.

There are interfaces for monitoring directories for new file creations -
using things like dnotify from user space. They may be sufficient, but
if not the right question is "how do we make a real solution work" not
how do we hack half working tricks into syscall entry points.

> compile a new kernel.  Is there some API for wrapping system calls which
> I am unaware of, or are there plans to provide one? 

In general there isnt, nor should there need to be.

Re: System call wrapping

[Miquel van Smoorenburg]

In article <1035222121.1063.20.camel@pc177>,
Henrý Þór Baldursson  <henry@f-prot.com> wrote:
>In our Windows product we have something called "Realtime protector"
>which monitors file access on Windows running machines and scans them
>before allowing access. 
>
>We now want, due to customer demand, to supply our Linux users with
>similar functionality, and we've created a 2.4.x kernel module which
>wrapped the open system call by means of overwriting
>sys_call_table[__NR_open].

What is wrong with a preloaded library (by means of /etc/ld.so.preload)
that intercepts open at the library level (and calls the real open()
using RLTD_NEXT) ? Just let it talk over a unix socket to your
scanner server.

Mike.

Re: System call wrapping

[Karim Yaghmour]

Miquel van Smoorenburg wrote:
> In article <1035222121.1063.20.camel@pc177>,
> Henrý Þór Baldursson  <henry@f-prot.com> wrote:
> >In our Windows product we have something called "Realtime protector"
> >which monitors file access on Windows running machines and scans them
> >before allowing access.
> >
> >We now want, due to customer demand, to supply our Linux users with
> >similar functionality, and we've created a 2.4.x kernel module which
> >wrapped the open system call by means of overwriting
> >sys_call_table[__NR_open].
>
> What is wrong with a preloaded library (by means of /etc/ld.so.preload)
> that intercepts open at the library level (and calls the real open()
> using RLTD_NEXT) ? Just let it talk over a unix socket to your
> scanner server.

Jacques Gelinas already has something that does precisely that:
http://www.solucorp.qc.ca/virtualfs/

I don't know if it's still being updated, but the ideas are all there.

Karim

===================================================
                 Karim Yaghmour
               karim@opersys.com
      Embedded and Real-Time Linux Expert
===================================================

Re: System call wrapping

[Rik van Riel]

On 21 Oct 2002, Henrý Þór Baldursson wrote:

> Apparently, this is something you kernel hackers don't approve of, since
> you've recently removed EXPORT_SYMBOL(sys_call_table) from
> kernel/ksyms.c - so my question is whether there is some other preferred
> method for accomplishing this without forcing the user to patch and
> compile a new kernel.  Is there some API for wrapping system calls which
> I am unaware of, or are there plans to provide one?

Maybe you could use the Linux Security Module hooks for
open() and exec() to pass a request to your virus scan
software ?

Note that this kernel module needs to be GPL, due to the
fact that it's a derived work of the kernel itself. This
only applies to the kernel module that asks the virus
scanner to check the files for virusses, not necessarily
the virus scanner itself.

Rik
-- 
Bravely reimplemented by the knights who say "NIH".
http://www.surriel.com/		http://distro.conectiva.com/
Current spamtrap:  <a href=mailto:"october@surriel.com">october@surriel.com</a>

Re: System call wrapping

[Lucio Maciel]

On Mon, 2002-10-21 at 17:14, Rik van Riel wrote:
> 
> Maybe you could use the Linux Security Module hooks for
> open() and exec() to pass a request to your virus scan
> software ?
> 
> Note that this kernel module needs to be GPL, due to the
> fact that it's a derived work of the kernel itself. This
> only applies to the kernel module that asks the virus
> scanner to check the files for virusses, not necessarily
> the virus scanner itself.
> 
> Rik
> -- 
Hello...

Where can i find some information or documentation about this ????

thanks
-- 
::: Lucio F. Maciel
::: abslucio@terra.com.br
::: icq 93065464
::: Absoluta.net

Re: System call wrapping

[jw schultz]

On Mon, Oct 21, 2002 at 06:14:48PM -0200, Rik van Riel wrote:
> Maybe you could use the Linux Security Module hooks for
> open() and exec() to pass a request to your virus scan
> software ?
> 
> Note that this kernel module needs to be GPL, due to the
> fact that it's a derived work of the kernel itself. This
> only applies to the kernel module that asks the virus
> scanner to check the files for virusses, not necessarily
> the virus scanner itself.

Even _if_ Rik is overstating this (I'm inclined to agree
with him).  You will have an issue with kernel tainting.

If you don't make your module GPL compatible then your users
will have to look to you for kernel support.  And you can
argue with nvidia about which of you supports the shared
customers.  Or you can tell your customers you don't support
them if they use any other modules that are on the same
license terms as your own.

I enjoy the idea that installing a virus scanner will TAINT
the kernel.

-- 
________________________________________________________________
	J.W. Schultz            Pegasystems Technologies
	email address:		jw@pegasys.ws

		Remember Cernan and Schmitt

Re: System call wrapping

[Greg KH]

On Mon, Oct 21, 2002 at 05:33:14PM -0300, Lucio Maciel wrote:
> On Mon, 2002-10-21 at 17:14, Rik van Riel wrote:
> > 
> > Maybe you could use the Linux Security Module hooks for
> > open() and exec() to pass a request to your virus scan
> > software ?
> > 
> > Note that this kernel module needs to be GPL, due to the
> > fact that it's a derived work of the kernel itself. This
> > only applies to the kernel module that asks the virus
> > scanner to check the files for virusses, not necessarily
> > the virus scanner itself.
> > 
> > Rik
> > -- 
> Hello...
> 
> Where can i find some information or documentation about this ????

lsm.immunix.org, or look in the Documentation/DocBook/lsm.* file

greg k-h

Re: System call wrapping

[Rogier Wolff]

On Mon, Oct 21, 2002 at 06:16:10PM +0000, Miquel van Smoorenburg wrote:
> What is wrong with a preloaded library (by means of /etc/ld.so.preload)
> that intercepts open at the library level (and calls the real open()
> using RLTD_NEXT) ? Just let it talk over a unix socket to your
> scanner server.

Because you want to intercept ALL "open" system calls, not just those
of "friendly" users who agree to set LD_PRELOAD. 

			Roger. 

-- 
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* The Worlds Ecosystem is a stable system. Stable systems may experience *
* excursions from the stable situation. We are currenyly in such an      * 
* excursion: The stable situation does not include humans. ***************