Geek Answers Handbook

Hook Features for Linux File System

I want to do something before writing data to the hard drive. I do not know any solutions. To avoid editing the kernel source, are there any locations where I can use the hook function as a loadable module?

UPDATE: Thanks everyone, LSM is good for API interceptors. But I want to find another solution that provides a mechanism for reading / writing data blocks. It can avoid re-encrypting the entire file after updating the file.

I think there is something that I can change between the file system (ext2, ext3, ...) and the buffer cache.

+4
source share
4 answers

Use Linux Security Modules . These are loadable kernel modules that provide hooks for accessing various internal objects in the kernel. You can use hook for file system or inodes as per your requirement. God's place to start is to read Greg Croah Hartman's paper in LSM. Then you can visit the link, which shows along with an example how to use LSM hooks. An example is to notify access to the system only when you insert a specific USB port and is a good guide on how to start with LSM interceptors.

+2
source

Well, this is an interesting question.

Unfortunately, even LSM does not help here. As a possible solution, I recommend using the address_space_operations tables and the hook writepage function. For example, see ext3_writeback_aops :

 1984 static const struct address_space_operations ext3_writeback_aops = { 1985 .readpage = ext3_readpage, 1986 .readpages = ext3_readpages, 1987 .writepage = ext3_writeback_writepage, 1988 .write_begin = ext3_write_begin, 1989 .write_end = ext3_writeback_write_end, 1990 .bmap = ext3_bmap, 1991 .invalidatepage = ext3_invalidatepage, 1992 .releasepage = ext3_releasepage, 1993 .direct_IO = ext3_direct_IO, 1994 .migratepage = buffer_migrate_page, 1995 .is_partially_uptodate = block_is_partially_uptodate, 1996 .error_remove_page = generic_error_remove_page, 1997 };

So, in the case of the ext3 file system, we need to find this structure in memory and replace the writepage pointer to point to our_writepage wrapper. Also note that this table is in read-only memory and you need to handle it correctly.

EDIT:

With LSM, you can connect inode to open work and replace inode->i_mapping->a_ops in place.

+2
source

Try FUSE ( https://github.com/libfuse/libfuse ).

This is a file system in user space. You can write a file I / O handler in user space and simply set it as application execution.

0
source

I do not think that's possible. When userpace calls an I / O file, the file system implementation or general implementation will be called from VFS. you will need to change these function pointers to point to your module, which encrypts your data and then calls the file system function.

I did something similar at university, but it was an old core, and you had to set a specific configuration flag. If I remember, this flag disappeared, since you do not want kernel modules to handle function pointers beyond their capabilities.

In any case, you can find the module here: https://motzblog.wordpress.com/2007/10/27/linux-monitoring-module/

But be careful, this was a university project, so the quality of the code is not what you are except for the Linux kernel code.

-3
source

More articles:


All Articles