Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?

dazuko-help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?

From:	Bill Lutton
Subject:	Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?
Date:	Fri, 11 Apr 2008 10:15:19 -0600

Thanks for your reply.  I should have been more forthcoming in my question.

Initially I tried configuring/building/loading Dazuko like this:
   ./configure --enable-syscalls --mapfile=/boot/System.map-2.6.18-el5
   make clean; make
   /sbin/insmod ./dasuko.ko
At this point the system "hung".

Having noticed the "Important Note:" in the first attempt I then tried:
   ./configure --enable-syscalls --mapfile=/boot/System.map-2.6.18-el5 
--sct-readonly
   make clean; make
   /sbin/insmod ./dasuko.ko
At this point the system "hung".

I am using Dazuko-2.3.4.
I am running a stock install of RHEL5 x86_64 from their ISOs (2.6.18-8.el5)
uname -a:  Linux RHEL564 2.6.18.8-el5 #1 SMP <date> x86_64 x86_64 x86_64 
GNU/Linux
Note:  got same results with the stock RHEL5.1 x86_64 ISOs (2.6.18-53.el5).
I am running it in a VMWare 6.0.2 VM on Windows XP SP2 on a Core2Duo CPU.

I've scanned the archives going back about a year and didn't notice my situation addressed specifically, however I did take note ofthis: http://savannah.nongnu.org/support/?105824 which didn't sound hopeful.


In summary, I am hoping to learn:
- Is there a set of config options that will allow Dazuko to do syscall hooking 
on RHEL5 x86_
64?
- Should I be using a different version of Dazuko?
- Would it be helpful to provide logs of the config/build output?

- I don't know how to get console output of the fault running in VMWare but would be happy to try to get it if it would help (and ifsomeone could provide a pointer to how to set this up).


Thanks again in advance,
Bill L.

PS
Note: the 32bit variants of RHEL5 seem to work OK.

Further investigation (looking at the pte bits) shows that the kernel pages in question are not write protected on 32 bit RHEL5 butare write protected on 64bit RHEL5. Further, it seems that the remedy, change_page_attr (or its descendants), is where the fault isoccuring for me.

----- Original Message -----From: John Ogness

To: address@hidden
Cc: Bill Lutton
Sent: Friday, April 11, 2008 12:08 AM
Subject: Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?


On 2008-04-11, Bill Lutton <address@hidden> wrote:

Is there a combination of config options that will allow Dazuko to
do syscall hooking on RHEL5 x86_64?


The "--enable-syscalls" option will hook the 64-bit system call
table. Dazuko does not support hooking the 32-bit system call table
with a 64-bit kernel.

If your kernel supports 32-bit applications, the 32-bit applications
will not trigger file events in Dazuko.

This might be acceptable for you if, for example, you are only
interested in monitoring Samba shares. As long as the Samba software
is 64-bit, all file events via Samba will be detected by Dazuko.

Dazuko-based applications (such as anti-virus applications) can be
32-bit and will work correctly.

John Ogness

--
Dazuko Maintainer


_______________________________________________
Dazuko-help mailing list
address@hidden

http://lists.nongnu.org/mailman/listinfo/dazuko-help

[Prev in Thread]

Current Thread

[Next in Thread]

[Dazuko-help] RHEL5 x86_64 and syscall hooking?, Bill Lutton, 2008/04/11
- Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?, John Ogness, 2008/04/11
  - Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?, Bill Lutton <=
    - Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?, John Ogness, 2008/04/12

Prev by Date: Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?
Next by Date: Re: [Dazuko-help] Fedora 8 and Dazuko Still not working
Previous by thread: Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?
Next by thread: Re: [Dazuko-help] RHEL5 x86_64 and syscall hooking?
Index(es):
- Date
- Thread