Critical Linux security API is still a kludge (Inquirer)
Critical Linux security API is still a kludge (Inquirer)
Posted Oct 23, 2006 13:59 UTC (Mon) by madscientist (subscriber, #16861)Parent article: Critical Linux security API is still a kludge (Inquirer)
Silly. I guess all those products that ship out-of-the-tree kernel loadable modules must be impossible to use, right? All the video card drivers, vertical applications like ClearCase, etc.?
The reality is you DON'T need to build your own kernel from source: every distro today has a package containing the kernel headers/makefiles for the kernels they ship. You just install those packages, then it's a simple matter for the Dazuko makefiles to build their modules against it.
Looking at the Dazuko FAQ, it seems to me that they just decided to avoid having to deal with these issues by telling everyone to compile their own kernel, rather than explain how to use packages. I suppose they figure that once you've built your own kernel you'll be knowledgeable enough to not need to ask any more questions. The problem is not that the Dazuko code isn't in the kernel proper. The problem is that the Dazuko project needs some help with documentation and installation procedures.
I don't understand what the Inquirer article is complaining about. As far as I can see, the Dazuko devs haven't even submitted the patch for inclusion yet! This is not a case of kernel devs snubbing a useful module, it's a case where the author of the module says it's not yet ready to be submitted. Is the point of the article that the Dazuko devs should work faster? Or...?
Posted Oct 23, 2006 14:17 UTC (Mon)
by mattdm (subscriber, #18)
[Link]
Posted Oct 24, 2006 3:07 UTC (Tue)
by ringerc (subscriber, #3071)
[Link] (1 responses)
Why the syscall table isn't available from modules seems to be largely a politicial issue. My impression is that the kernel devs don't want large extensions of the kernel that insert lots of hooks to be possible as modules - perhaps because of the whole closed-source module issue?
Anyway, I'd be surprised if they didn't need to patch the kernel to get their syscall hooks in place.
Posted Oct 24, 2006 12:00 UTC (Tue)
by madscientist (subscriber, #16861)
[Link]
I didn't try to build it but I read the install instructions before I posted. As far as I can tell they do NOT patch the kernel. They're just building an out-of-the-tree kernel loadable module, nothing more.
Of course, I could have missed something.
The author seems to believe that distro vendors should put it in their kernels, regardless of its upstream status.Critical Linux security API is still a kludge (Inquirer)
It needs to intercept and modify the behaviour of system calls. That is not supported (by design) in the module interface - the kernel *must* be modified. There's a dirty hack that does it from modules anyway, but it's not a great idea and frowned upon.Critical Linux security API is still a kludge (Inquirer)
> Anyway, I'd be surprised if they didn't need to patch the kernel to getCritical Linux security API is still a kludge (Inquirer)
> their syscall hooks in place.