| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4992ABF1.3080007@redhat.com> Date: Wed, 11 Feb 2009 11:44:01 +0100 From: Harald Hoyer <harald@...hat.com> To: linux-kernel@...r.kernel.org Cc: power@...host.org Subject: Re: [PATCH] tracer for sys_open() - sreadahead Karel Zak wrote: > On Mon, Feb 09, 2009 at 02:23:35PM +0100, Harald Hoyer wrote: >> Karel Zak wrote: >>> On Thu, Feb 05, 2009 at 03:44:42PM +0100, Harald Hoyer wrote: >>>> Ingo Molnar wrote: >>>>> * Pavel Machek <pavel@...e.cz> wrote: >>>>> >>>>>> On Tue 2009-01-27 12:08:04, Kok, Auke wrote: >>>>>>> This tracer monitors regular file open() syscalls. This is a fast >>>>>>> and low-overhead alternative to strace, and does not allow or >>>>>>> require to be attached to every process. >>>>>>> >>>>>>> The tracer only logs succesfull calls, as those are the only ones we >>>>>>> are currently interested in, and we can determine the absolute path >>>>>>> of these files as we log. >>>>>> Maybe fanotify() should be used instead? >>>>>> >>>>>> Or maybe just plain strace? One slow boot should not really hurt... >>>>> ptrace is out of question for good tracing because it's not a >>>>> transparent probe. (ptrace monopolizes the traced task - if we use >>>>> that then we break regular strace usage.) >>>>> >>>>> Ingo >>>> Can strace can be used on init? >>>> >>>> $ man strace >>>> ... >>>> On Linux, exciting as it would be, tracing the init process is forbidden. >>>> ... >>>> >>>> Any hope getting _any_ mechanism in the kernel?? >>> Do you remember Linux Auditing System? That's RH's baby with hooks to >>> all relevant syscalls. It would be better to fix/improve the current >>> kernel mechanisms that introduce a new one. >> Yes, I do remember it, because this is how the current fedora readahead >> gathers its data. It delays the audit daemon, because there is no clean >> way to hook into the stream. I asked to add a second "channel" (auditd >> wants the kernel socket for its own)... > > yes, it'd be nice to support arbitrary number of connections and > rules per connection. (.. or export audit stuff to userspace by a > special pseudo filesystem (see cgroups, debugfs, ...)). > > Karel > right! if only someone would implement that *hint, hint* :-/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists