LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Critical Linux security API is still a kludge (Inquirer)

Critical Linux security API is still a kludge (Inquirer)

Posted Oct 23, 2006 13:59 UTC (Mon) by madscientist (subscriber, #16861)
Parent article: Critical Linux security API is still a kludge (Inquirer)

Silly. I guess all those products that ship out-of-the-tree kernel loadable modules must be impossible to use, right? All the video card drivers, vertical applications like ClearCase, etc.?

The reality is you DON'T need to build your own kernel from source: every distro today has a package containing the kernel headers/makefiles for the kernels they ship. You just install those packages, then it's a simple matter for the Dazuko makefiles to build their modules against it.

Looking at the Dazuko FAQ, it seems to me that they just decided to avoid having to deal with these issues by telling everyone to compile their own kernel, rather than explain how to use packages. I suppose they figure that once you've built your own kernel you'll be knowledgeable enough to not need to ask any more questions. The problem is not that the Dazuko code isn't in the kernel proper. The problem is that the Dazuko project needs some help with documentation and installation procedures.

I don't understand what the Inquirer article is complaining about. As far as I can see, the Dazuko devs haven't even submitted the patch for inclusion yet! This is not a case of kernel devs snubbing a useful module, it's a case where the author of the module says it's not yet ready to be submitted. Is the point of the article that the Dazuko devs should work faster? Or...?

(Log in to post comments)

Critical Linux security API is still a kludge (Inquirer)

Posted Oct 23, 2006 14:17 UTC (Mon) by mattdm (guest, #18) [Link]

The author seems to believe that distro vendors should put it in their kernels, regardless of its upstream status.

Critical Linux security API is still a kludge (Inquirer)

Posted Oct 24, 2006 3:07 UTC (Tue) by ringerc (subscriber, #3071) [Link]

It needs to intercept and modify the behaviour of system calls. That is not supported (by design) in the module interface - the kernel *must* be modified. There's a dirty hack that does it from modules anyway, but it's not a great idea and frowned upon.

Why the syscall table isn't available from modules seems to be largely a politicial issue. My impression is that the kernel devs don't want large extensions of the kernel that insert lots of hooks to be possible as modules - perhaps because of the whole closed-source module issue?

Anyway, I'd be surprised if they didn't need to patch the kernel to get their syscall hooks in place.

Critical Linux security API is still a kludge (Inquirer)

Posted Oct 24, 2006 12:00 UTC (Tue) by madscientist (subscriber, #16861) [Link]

> Anyway, I'd be surprised if they didn't need to patch the kernel to get
> their syscall hooks in place.

I didn't try to build it but I read the install instructions before I posted. As far as I can tell they do NOT patch the kernel. They're just building an out-of-the-tree kernel loadable module, nothing more.

Of course, I could have missed something.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds