This patch adds support for the "init module" event, important for use with F-Secure software. It can be applied with: $ patch -p0 < patch_fsecure_init_event.diff Index: configure =================================================================== RCS file: /cvsroot/dazuko/dazuko/configure,v retrieving revision 1.100 diff -u -r1.100 configure --- configure 3 Oct 2006 22:49:11 -0000 1.100 +++ configure 29 Nov 2006 19:54:40 -0000 @@ -64,6 +64,7 @@ echo " --enable-event-unlink capture ON_UNLINK events" echo " --enable-event-rmdir capture ON_RMDIR events" echo " --enable-event-close-modified capture ON_CLOSE_MODIFIED events" + echo " --enable-event-init-module capture ON_INIT_MODULE events (Linux only)" echo " --disable-trusted disable support for trusted applications" echo " --disable-stacking disable LSM stacking (Linux 2.6 only)" echo " --disable-rsbac disable RSBAC support (Linux only)" @@ -765,6 +766,11 @@ echo "EXTRA_CFLAGS += -DON_RMDIR_SUPPORT" >> Makefile fi + if [ ${ON_INIT_MODULE} -eq 1 ] + then + echo "EXTRA_CFLAGS += -DON_INIT_MODULE_SUPPORT" >> Makefile + fi + if [ ${TRUSTED} -eq 1 ] then echo "EXTRA_CFLAGS += -DTRUSTED_APPLICATION_SUPPORT" >> Makefile @@ -941,6 +947,11 @@ echo "KFLAGS += -DON_RMDIR_SUPPORT" >> Makefile fi + if [ ${ON_INIT_MODULE} -eq 1 ] + then + echo "KFLAGS += -DON_INIT_MODULE_SUPPORT" >> Makefile + fi + if [ ${ON_CLOSE_MODIFIED} -eq 1 ] then echo "KFLAGS += -DON_CLOSE_MODIFIED_SUPPORT" >> Makefile @@ -1240,6 +1251,11 @@ echo -n " ON_RMDIR" fi + if [ ${ON_INIT_MODULE} -eq 1 ] + then + echo -n " ON_INIT_MODULE" + fi + if [ ${ON_CLOSE_MODIFIED} -eq 1 ] then echo -n " ON_CLOSE_MODIFIED" @@ -1359,6 +1375,7 @@ ON_UNLINK=0 ON_RMDIR=0 ON_CLOSE_MODIFIED=0 +ON_INIT_MODULE=0 COMPAT1=1 TRUSTED=1 DEVFS=0 @@ -1425,6 +1442,12 @@ --enable-event-rmdir) ON_RMDIR=1 ;; + --disable-event-init-module) + ON_INIT_MODULE=0 + ;; + --enable-event-init-module) + ON_INIT_MODULE=1 + ;; --enable-event-close-modified) ON_CLOSE_MODIFIED=1 ;; Index: dazuko_core.c =================================================================== RCS file: /cvsroot/dazuko/dazuko/dazuko_core.c,v retrieving revision 1.56 diff -u -r1.56 dazuko_core.c --- dazuko_core.c 14 Nov 2006 16:47:13 -0000 1.56 +++ dazuko_core.c 29 Nov 2006 19:54:45 -0000 @@ -55,7 +55,7 @@ #define NUM_SLOT_LISTS 5 #define NUM_SLOTS 25 -#define NUM_EVENTS 7 +#define NUM_EVENTS 8 #define AMC_UNSET 255 @@ -331,6 +331,8 @@ return 5; case DAZUKO_TRUST_REQUEST: return 6; + case DAZUKO_ON_INIT_MODULE: + return 7; } return -1; @@ -354,6 +356,8 @@ return DAZUKO_ON_RMDIR; case 6: return DAZUKO_TRUST_REQUEST; + case 7: + return DAZUKO_ON_INIT_MODULE; } return 0; @@ -1977,8 +1981,11 @@ if (sl == skip_slotlist) continue; + if (event != DAZUKO_ON_INIT_MODULE) + { if (!dazuko_should_scan(dfs, sl)) continue; + } error = dazuko_run_daemon_on_slotlist(event, dfs->filename, dfs->filename_length, event_p, &(dfs->file_p), rc, sl); Index: dazuko_events.h =================================================================== RCS file: /cvsroot/dazuko/dazuko/dazuko_events.h,v retrieving revision 1.6 diff -u -r1.6 dazuko_events.h --- dazuko_events.h 30 May 2005 17:06:37 -0000 1.6 +++ dazuko_events.h 29 Nov 2006 19:54:45 -0000 @@ -43,6 +43,7 @@ #define DAZUKO_ON_UNLINK 16 #define DAZUKO_ON_RMDIR 32 #define DAZUKO_TRUST_REQUEST 64 +#define DAZUKO_ON_INIT_MODULE 128 /* trusted flags */ #define DAZUKO_TRUST_CHILDREN 1 Index: dazuko_linux.c =================================================================== RCS file: /cvsroot/dazuko/dazuko/dazuko_linux.c,v retrieving revision 1.86 diff -u -r1.86 dazuko_linux.c --- dazuko_linux.c 15 Nov 2006 11:20:36 -0000 1.86 +++ dazuko_linux.c 29 Nov 2006 19:54:50 -0000 @@ -173,6 +173,16 @@ #endif #endif +#if defined(ON_INIT_MODULE_SUPPORT) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) + static asmlinkage long (*original_sys_init_module)(void __user *umod, unsigned long len, const char __user *uargs); +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0) + static asmlinkage long (*original_sys_init_module)(const char *name_user, struct module *mod_user); +#else +#warning "init_module syscall hook not supported on this kernel version" +#endif +#endif + static struct file_operations fops = { #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) @@ -1998,6 +2008,76 @@ } #endif +#ifdef ON_INIT_MODULE_SUPPORT +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) +asmlinkage long linux_dazuko_sys_init_module(void __user *umod, unsigned long len, const char __user *uargs) +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0) +asmlinkage long linux_dazuko_sys_init_module(const char *name_user, struct module *mod_user) +#endif +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0) +{ + struct dazuko_file_struct *dfs = NULL; + int error = 0; + int check_error = 0; + struct event_properties event_p; + struct xp_daemon_id xp_id; + + xp_id.pid = current->pid; + xp_id.file = NULL; + xp_id.current_p = current; + xp_id.files = dazuko_get_files_struct(current); + + check_error = dazuko_check_access(DAZUKO_ON_INIT_MODULE, 0, &xp_id, NULL); + + if (xp_id.files != NULL) + dazuko_put_files_struct(xp_id.files); + + if (!check_error) + { + dazuko_bzero(&event_p, sizeof(event_p)); + event_p.pid = current->pid; + event_p.set_pid = 1; + event_p.uid = current->uid; + event_p.set_uid = 1; + + dfs = (struct dazuko_file_struct *)xp_malloc(sizeof(struct dazuko_file_struct)); + if (dfs != NULL) + { + dazuko_bzero(dfs, sizeof(struct dazuko_file_struct)); + + dfs->extra_data = (struct xp_file_struct *)xp_malloc(sizeof(struct xp_file_struct)); + if (dfs->extra_data != NULL) + { + dazuko_bzero(dfs->extra_data, sizeof(struct xp_file_struct)); + + dfs->extra_data->user_filename = NULL; + + error = dazuko_process_access(DAZUKO_ON_INIT_MODULE, dfs, &event_p, NULL); + + dazuko_file_struct_cleanup(&dfs); + } + else + { + xp_free(dfs); + dfs = NULL; + } + } + } + + if (error) + { + return -EPERM; + } + +#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) + error = original_sys_init_module(umod, len, uargs); +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2,4,0) + error = original_sys_init_module(name_user, mod_user); +#endif + return error; +} +#endif /* KERNEL_VERSION >= 2.4.0 */ +#endif /* ON_INIT_MODULE_SUPPORT */ /* system hook */ @@ -2210,6 +2290,10 @@ DAZUKO_HOOK(rmdir); #endif +#ifdef ON_INIT_MODULE_SUPPORT + DAZUKO_HOOK(init_module); +#endif + #ifdef SYSCALL_TABLE_READONLY /* protect the syscall table */ change_page_attr(virt_to_page(sys_call_table), 1, PAGE_KERNEL_RO); @@ -2280,6 +2364,10 @@ DAZUKO_UNHOOK(rmdir); #endif +#ifdef ON_INIT_MODULE_SUPPORT + DAZUKO_UNHOOK(init_module); +#endif + #ifdef SYSCALL_TABLE_READONLY /* protect the syscall table */ change_page_attr(virt_to_page(sys_call_table), 1, PAGE_KERNEL_RO); Index: example_c/example.c =================================================================== RCS file: /cvsroot/dazuko/dazuko/example_c/example.c,v retrieving revision 1.5 diff -u -r1.5 example.c --- example_c/example.c 15 Jun 2005 19:54:17 -0000 1.5 +++ example_c/example.c 29 Nov 2006 19:54:50 -0000 @@ -93,6 +93,9 @@ case DAZUKO_ON_RMDIR: printf("RMDIR "); break; + case DAZUKO_ON_INIT_MODULE: + printf("INIT_MODULE "); + break; default: printf("???? event:%d ", acc->event); break; @@ -173,7 +176,7 @@ signal(SIGINT, sigterm); /* set access mask */ - if (dazukoSetAccessMask(DAZUKO_ON_OPEN | DAZUKO_ON_CLOSE | DAZUKO_ON_CLOSE_MODIFIED | DAZUKO_ON_EXEC | DAZUKO_ON_UNLINK | DAZUKO_ON_RMDIR) != 0) + if (dazukoSetAccessMask(DAZUKO_ON_OPEN | DAZUKO_ON_CLOSE | DAZUKO_ON_CLOSE_MODIFIED | DAZUKO_ON_EXEC | DAZUKO_ON_UNLINK | DAZUKO_ON_RMDIR | DAZUKO_ON_INIT_MODULE) != 0) { printf("error: failed to set access mask\n"); dazukoUnregister();