Re: FileSystem Filter Driver

Re: FileSystem Filter Driver

[Antonio Vargas]

On Wed, Apr 23, 2003 at 12:28:33PM +0200, Nir Livni wrote:
> Hi all,
> I am looking for information about writing a FileSystem Filter Driver on RH.
> Any documentation or source code samples whould be appreciated.
> 
> Please make sure you CC' me on any answer for this post, because I am not
> registered (yet ?)
> 
> Thanks,
> Nir

The reference implementation for a filesystem is ext2fs, which
you can have a look at in fs/ext2 on a unpacked kernel tree.
Have also a look at fs/ramfs which is a bit simpler but does
not deal with block devices.

Also have a look at the linux-kernel and linux-fsdevel mailing list
archives.

Greets, Antonio.

Re: FileSystem Filter Driver

[Abhishek Agrawal]

On Wed, 2003-04-23 at 15:58, Nir Livni wrote:
> Hi all,
> I am looking for information about writing a FileSystem Filter Driver on RH.
> Any documentation or source code samples whould be appreciated.
>

What's a FileSystem Filter Driver?

FileSystem Filter Driver

[Nir Livni]

Hi all,
I am looking for information about writing a FileSystem Filter Driver on RH.
Any documentation or source code samples whould be appreciated.

Please make sure you CC' me on any answer for this post, because I am not
registered (yet ?)

Thanks,
Nir

Re: FileSystem Filter Driver

[Michael Knigge]

Hi,

> What's a FileSystem Filter Driver?

This is a driver that intercepts calls to the filesystem - for example 
for monitoring or to do additional access checks. Such a filter driver 
can then pass the call down to the filesystem or just cancel the call 
and (for example) return "access denied".


Under Windows a pretty well-known filter driver is FileMon at 
www.sysinternals.com. Thex also have a Linux version but (ahhh) 
without Source (the source for the Windows-Version is available). The 
Linux-Version can be found at 
http://www.sysinternals.com/linux/utilities/filemon.shtml

I guess what they are doing is similar to the way strace works - but 
I'm not sure. Hmmm, let us strace this thing ;-))))


Here are two Links that might help to implement such a thing under 
Linux (the most interesting is DaZuKo):

http://www.dazuko.org/
http://oss.sgi.com/projects/fam/



Bye
  Michael

Re: FileSystem Filter Driver

[Rogier Wolff]

On Wed, Apr 23, 2003 at 12:28:33PM +0200, Nir Livni wrote:
> Hi all,
> I am looking for information about writing a FileSystem Filter Driver on RH.
> Any documentation or source code samples whould be appreciated.

Check out one of the latest Linux Journals. I think they just
published an article about this!

			Roger. 

-- 
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
* The Worlds Ecosystem is a stable system. Stable systems may experience *
* excursions from the stable situation. We are currently in such an      * 
* excursion: The stable situation does not include humans. ***************

Re: FileSystem Filter Driver

[Abhishek Agrawal]

On Wed, 2003-04-23 at 17:17, Michael Knigge wrote:


> Under Windows a pretty well-known filter driver is FileMon at
> www.sysinternals.com. Thex also have a Linux version but (ahhh)
> without Source (the source for the Windows-Version is available). The
> Linux-Version can be found at
> http://www.sysinternals.com/linux/utilities/filemon.shtml
>
> I guess what they are doing is similar to the way strace works - but
> I'm not sure. Hmmm, let us strace this thing ;-))))
>
Filemon look like it will not work with kernel 2.5 up.
>From the link...
"it replaces entries in the system call table with pointers to its own
hook functions."

Re: FileSystem Filter Driver

[Nir Livni]

> On Wed, Apr 23, 2003 at 12:28:33PM +0200, Nir Livni wrote:
> > Hi all,
> > I am looking for information about writing a FileSystem Filter Driver on
RH.
> > Any documentation or source code samples whould be appreciated.
> >
> > Please make sure you CC' me on any answer for this post, because I am
not
> > registered (yet ?)
> >
> > Thanks,
> > Nir
>
> The reference implementation for a filesystem is ext2fs, which
> you can have a look at in fs/ext2 on a unpacked kernel tree.
> Have also a look at fs/ramfs which is a bit simpler but does
> not deal with block devices.
>

My goal is to write a driver that runs above the filesystem driver, and
filters calls to this driver.
Actually, it should pass all calls to the filesystem driver, except very few
that it should fail for "Access Denied". Are there any simple examples for
that matter ?

Thanks,
Nir

> Also have a look at the linux-kernel and linux-fsdevel mailing list
> archives.
>
> Greets, Antonio.
>

Re: FileSystem Filter Driver

[Muli Ben-Yehuda]

[-- Attachment #1: Type: text/plain, Size: 700 bytes --]

On Wed, Apr 23, 2003 at 02:20:38PM +0200, Nir Livni wrote:

> My goal is to write a driver that runs above the filesystem driver, and
> filters calls to this driver.
> Actually, it should pass all calls to the filesystem driver, except very few
> that it should fail for "Access Denied". Are there any simple examples for
> that matter ?

A. Sounds like it could be implemented using the LSM (linux security
modules) framework, assuming the appropriate hooks are in place. 

B. The May 2003 Linux Journal issue has an article on "Writing
Stackable Filesystems" by Erez Zadok, which might fit your needs
better.

Hope this helps, 
Muli. 
-- 
Muli Ben-Yehuda
http://www.mulix.org


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: FileSystem Filter Driver

[Nir Livni]

> On Wed, 2003-04-23 at 15:58, Nir Livni wrote:
> > Hi all,
> > I am looking for information about writing a FileSystem Filter Driver on
RH.
> > Any documentation or source code samples whould be appreciated.
> >
>
> What's a FileSystem Filter Driver?
>
A FileSystem Filter Driver, is a driver the is located above the file system
driver, and filters calls. It may pass the call to the filesystem as is,
maybe change it, or fail it ("access denied" for example).
It is actually something that exists on Windows file systems, but I'm sure
it can also be done on Linux.

Re: FileSystem Filter Driver

[William Stearns]

Good day, Nir, Rogier,

On Wed, 23 Apr 2003, Rogier Wolff wrote:

> On Wed, Apr 23, 2003 at 12:28:33PM +0200, Nir Livni wrote:
> > I am looking for information about writing a FileSystem Filter Driver on RH.
> > Any documentation or source code samples whould be appreciated.
> 
> Check out one of the latest Linux Journals. I think they just
> published an article about this!

	The May 2003 issue did include an article from Erez Zadok on the 
topic of the FiST project (File System Translator), which is exactly what 
you're looking for.
	The project homepage is at 
http://www1.cs.columbia.edu/~ezk/research/fist/ .  There are links there 
to the language specification (see his phd dissertation), downloadable 
code, sample filesystems, and a mailing list.
	Cheers,
	- Bill

---------------------------------------------------------------------------
	"Never underestimate the bandwidth of a station wagon full of
tapes."
	-- Dr. Warren Jackson, Director, UTCS
(Courtesy of Clem Yonkers <cyonkers@intervis.com>)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------

Re: FileSystem Filter Driver

[Leonard Milcin, Jr]

Michael Knigge wrote:
> Hi,
> 
> 
>>What's a FileSystem Filter Driver?
> 
> 
> This is a driver that intercepts calls to the filesystem - for example 
> for monitoring or to do additional access checks. Such a filter driver 
> can then pass the call down to the filesystem or just cancel the call 
> and (for example) return "access denied".

Nice. I wonder if there is some open-source project with aim in building
audit tool based on that idea. It will be very nice to have one, and I 
think it will be very interesting, especially for corporate users. I 
will search for information about this, and if I find nothing, maybe 
this is a good moment to start that project? The aim will be building 
kernel driver + user-space tool to provide 1) ultimate filesystem audit 
tool, 2) user space access control manager. This will help linux to 
conquer with proprietary products.

What you're thinking about it?



Leonard,

Re: FileSystem Filter Driver

[joe briggs]

I once wrote a Windows 95/98 VXD that used the Microsoft mechanism - 
frequently called a 'hooker'.  In that case, you took a VXD template and made 
a system call that 'hooked' onto either a device or a filename.  In windows, 
each file I/O action generated an event.  You could listen for the event and 
then check to see if it was for your file or device, and if so, choose to 
selectively service (i.e, do the right thing), or pass it on to the normal 
driver, or a combination of both.  While at the time I thought "wow, what a 
cool way wreak havoc", it was the only way at the time to get around some 
other MS multimedia limitations.   If someone wants it, I'll be glad to dig 
it out.

On Wednesday 23 April 2003 08:11 am, Abhishek Agrawal wrote:
> On Wed, 2003-04-23 at 17:17, Michael Knigge wrote:
> > Under Windows a pretty well-known filter driver is FileMon at
> > www.sysinternals.com. Thex also have a Linux version but (ahhh)
> > without Source (the source for the Windows-Version is available). The
> > Linux-Version can be found at
> > http://www.sysinternals.com/linux/utilities/filemon.shtml
> >
> > I guess what they are doing is similar to the way strace works - but
> > I'm not sure. Hmmm, let us strace this thing ;-))))
>
> Filemon look like it will not work with kernel 2.5 up.
> From the link...
> "it replaces entries in the system call table with pointers to its own
> hook functions."
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

-- 
Joe Briggs
Briggs Media Systems
105 Burnsen Ave.
Manchester NH 01304 USA
TEL/FAX 603-232-3115 MOBILE 603-493-2386
www.briggsmedia.com

Re: FileSystem Filter Driver

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 1792 bytes --]

On Wed, 23 Apr 2003 17:48:17 +0200, "Leonard Milcin, Jr" <thervoy@post.pl>  said:
> Nice. I wonder if there is some open-source project with aim in building
> audit tool based on that idea. It will be very nice to have one, and I 
> think it will be very interesting, especially for corporate users. I 
> will search for information about this, and if I find nothing, maybe 
> this is a good moment to start that project? The aim will be building 
> kernel driver + user-space tool to provide 1) ultimate filesystem audit 
> tool, 2) user space access control manager. This will help linux to 
> conquer with proprietary products.

Proper kernel auditing is harder than it looks.  Check the LSM mailing list
archives for the last attempt to get auditing into the kernel - the idea
was basically dropped.

The basic problem is that there exist standards and best practices on how
auditing should be done, and doing it correctly in the Linux kernel would be
quite invasive.  For example, although LSM already provides an exit in the
open() syscall, you can't use it for auditing because not all failures reach
the exit - there are cases (failed on permissions/ACL checks, etc) where the
call is failed and returns before LSM exits are call, and the standards say
those should result in audit records.

Placing the hooks isn't easy either.  You can't hook right at the syscall
level. because you end up having to do a lot of work twice (looking up
pathnames, etc) - both wasteful and prone to race conditions.  Hooking at the
filesystem level isn't right either - if you hook ext2 and ext3, you miss any
events that happen to be on xfs or reiserfs or what have you. If you can't
think of 3 "gotchas" of doing it at the VFS level, you shouldn't be poking in
that code either.. ;)

Good Luck.. ;)

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

RE: FileSystem Filter Driver

[Nir Livni]

Thanks Muli,
Your answer has been a great help

Nir

-----Original Message-----
From: Muli Ben-Yehuda [mailto:mulix@mulix.org] 
Sent: Wednesday, April 23, 2003 3:22 PM
To: Nir Livni
Cc: linux-kernel@vger.kernel.org
Subject: Re: FileSystem Filter Driver

On Wed, Apr 23, 2003 at 02:20:38PM +0200, Nir Livni wrote:

> My goal is to write a driver that runs above the filesystem driver, 
> and filters calls to this driver. Actually, it should pass all calls 
> to the filesystem driver, except very few that it should fail for 
> "Access Denied". Are there any simple examples for that matter ?

A. Sounds like it could be implemented using the LSM (linux security
modules) framework, assuming the appropriate hooks are in place. 

B. The May 2003 Linux Journal issue has an article on "Writing Stackable
Filesystems" by Erez Zadok, which might fit your needs better.

Hope this helps, 
Muli. 
-- 
Muli Ben-Yehuda
http://www.mulix.org

Re: FileSystem Filter Driver

[Chuck Ebbert]

Valdis.Kletnieks wrote:

.> Proper kernel auditing is harder than it looks.  Check the LSM mailing list
.> archives for the last attempt to get auditing into the kernel - the idea
.> was basically dropped.
.> ...<snip>...


  In addition to all the points you covered, you also have to figure
out what to do if the log medium fills up or fails.  In a high security
environment the only thing you can do is panic the system immediately,
because (unaudited) bad things might already be happening.  You also
have to configure the system so it will not boot into multiuser
mode if the log has failed.  (And *then* you get to deal with clueless
admins who will disable that feature in their desperation to get
the system up and running, but that's not really a technical problem.)

------
 Chuck