| 1 |
On Mon, 2003-09-22 at 19:44, Paul de Vrieze wrote: |
| 2 |
|
| 3 |
> If there were some way that we can have overlay filesystems supported by the |
| 4 |
> kernel ( readonly mount root, and over that mount a freshly created dir that |
| 5 |
> will be used for all writes instead of the original. For reads though the |
| 6 |
> original filesystem is visible (as long as there is no file with the same |
| 7 |
> name in the writable part)) then it would be quite easy with chroot to |
| 8 |
> "track" changes. I'm not a kernel coder, and I have no idea whether such code |
| 9 |
> allready exists. It should be not too complex either. And also provide some |
| 10 |
> of the "extra security" that was asked by an earlier thread this month. It |
| 11 |
> should also be more foolproof than the sandbox, but relies on the kernel. |
| 12 |
> |
| 13 |
|
| 14 |
I have thought about using an kernel module multiple times (there are |
| 15 |
actually one or two of those apps that tracks installs that use such |
| 16 |
an module ... or tried to develop one back than). Problem is though |
| 17 |
that you will either limit the user to what kernel he use, or might |
| 18 |
run into issues with having to update it all the time to not break on |
| 19 |
new kernels or way different trees like -aa, etc. Do not know how |
| 20 |
much these hold anymore though. |
| 21 |
|
| 22 |
The bigger issue, is that late 2.5 and now 2.6 kernels do not allow |
| 23 |
you to replace system calls (something needed for a module like this). |
| 24 |
This will then either force us to not use this for 2.6, or hack the |
| 25 |
kernel, which will really limit the user. On another note - I do not |
| 26 |
know if the new API and hooks added for the security modules might |
| 27 |
enable us to have the same end result as hooking system calls with |
| 28 |
our own would have done ... |
| 29 |
|
| 30 |
|
| 31 |
Regards, |
| 32 |
|
| 33 |
-- |
| 34 |
|
| 35 |
Martin Schlemmer |
| 36 |
Gentoo Linux Developer, Desktop/System Team Developer |
| 37 |
Cape Town, South Africa |
Archives