Re: Hooking into Linux using the Linux Trace Toolkit

• Previous message: Chris Wright: "Re: Benchmarks (was Re: Hooking into Linux using the LTT)"
• In reply to: Karim Yaghmour: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Karim Yaghmour: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Anil B. Somayaji: "Benchmarks (was Re: Hooking into Linux using the LTT)"
• Reply: Karim Yaghmour: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Karim Yaghmour (karymat_private) wrote:
> Greg KH wrote:
<snip> 
> > 
> > Although everyplace LTT hooks, is probably a good place for us to also
> > hook :)
> 
> Exactly what I'm saying. Everything is there to be used. As it stands
> now and using the existing hooks, it should be fairly straight forward
> to implement a very advanced security mechanisms. Any additions, such
> as reactions to return values, would be fairly easy to add.

I am intrigued by the possiblity of reusing anything that LTT has done.
I looked at your patch, and found mixed results.  In some places the
hooks are expactly where I'd expect them.  In other spots, (like open,
or socket) the hooks are too late.  They are effectively recording that
these events just happened...this is the wrong spot for a security
module hook, IMHO.  Also, the hooks appear often right in the function
implementing a syscall.  I think compeilling arguments can be made for
moving the hooks deeper into the code path (e.g. deeper into the VFS
layer).  Generically the argument would be...the code path will discover
things that we need to know to make a security decision.  If the hook is
too soon, we have to reimplement this in the module...making it slow.
While it is tempting to place the hooks as soon as possible, I think it
may make more sense to place them as late as possbile when the kernel
will have collected the most information about the action underway.
It seems to me this will make the module interface richest.
Examples:
- On open we may care about the absolute path which isn't known at
first.  It is the namei code that tries to sort out the ../.. stuff and
get a dentry.
- On a tcp/ip socket send...it is late (in the ip layer) that you actually
get the outgoing device which seems like useful security info.

I do like how you've abstracted the interface.  (especially since it has
a similar object view to my view ;-).  I'm still trying to figure out
how we can borrow some of your work, I think it is good stuff.

-chris

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Andrew Morgan: "Re: Benchmarks (was Re: Hooking into Linux using the LTT)"
• Previous message: Chris Wright: "Re: Benchmarks (was Re: Hooking into Linux using the LTT)"
• In reply to: Karim Yaghmour: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Karim Yaghmour: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Next in thread: Anil B. Somayaji: "Benchmarks (was Re: Hooking into Linux using the LTT)"
• Reply: Karim Yaghmour: "Re: Hooking into Linux using the Linux Trace Toolkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 18:00:53 PDT