On Thu, Oct 20, 2005 at 06:22:33PM -0700, Crispin Cowan wrote: > Ratnadeep Joshi wrote: > > LSM has hooks for almost every system call. > > In file read and write calls, the hooks are for permission checking. > > The actual data that is read/written is not passed to these hooks. Is > > there any specific reason for this? > Likely a combination of "it would degrade performance" and "no one > needed it". In addition, the amount of buffering you would have to perform to detect ten one-byte writes() of forbidden content versus one ten-byte write() of the same forbidden content would be non-trivial at best. Now consider pwrite(). Determining _when_ a stream of singly-written bytes should be stopped is going to be a difficult decision to make. And, writes to files via mmap() aren't subject to any syscalls, so your mediation would probably be incomplete even if you perform in-kernel buffering to catch the stream of unpredictable write()/pwrite() calls. You may want to investigate using inotify or a similar mechanism to be alerted when files are modified, and then go scraping through the files to detect forbidden content. (No, I don't know how or if inotify is updated when writes are performed to a file via mmap().)
This archive was generated by hypermail 2.1.3 : Fri Oct 21 2005 - 10:14:53 PDT