Re: intercepting syscalls

[Igor Shmukler <igor.shmukler@gmail.com>]

Rik, (and everyone),

Everything is IMHO only.

It all boils down to whether:
1. it is hard to correctly implement such LKM so that it can be safely
loaded and unloaded and when these modules are combined they may not
work together until there is an interoperability workshop (like the
one networking folks do).
2. it's not possible to do this right, hence no point to allow this in
a first place.

I am not a Linux expert by a long-shot, but on many other Unices it's
being done and works. I am only asking because I am involved with a
Linux port.

I think if consensus is on choice one, then hiding the table is a
mistake. We should not just close  abusable interfaces. Rootkits do
not need these, and if someone makes poor software we do not have to
install it.

Intercepting system call table is an elegant way to solve many
problems. Any driver software has to be developed by expert
programmers and can cause all the problems imaginable if it was not
down right.

Again, it's all IMHO. Nobody has to agree.

Igor

On 4/18/05, Rik van Riel <riel@redhat.com> wrote:
> On Fri, 15 Apr 2005, Igor Shmukler wrote:
> 
> > Thank you very much. I will check this out.
> > A thanks to everyone else who contributed. I would still love to know
> > why this is a bad idea.
> 
> Because there is no safe way in which you could have multiple
> of these modules loaded simultaneously - say one security
> module and AFS.  There is an SMP race during the installing
> of the hooks, and the modules can still wreak havoc if they
> get unloaded in the wrong order...
> 
> There just isn't a good way to hook into the syscall table.
> 
> --
> "Debugging is twice as hard as writing the code in the first place.
> Therefore, if you write the code as cleverly as possible, you are,
> by definition, not smart enough to debug it." - Brian W. Kernighan
>