Re: [Dazuko-devel] dazukofs and /dev/dazukofs.ign

[Frantisek Hrbata]

On Fri, 20 Feb 2009 10:02:40 +0100
John Ogness <address@hidden> wrote:

> On 2009-02-19, Frantisek Hrbata <address@hidden> wrote:
> > it there any particular reason to store task_struct pointer for
> > processes which should be ignored? This requires for multi-threaded
> > application to register each thread to dazukofs.
> 
> Correct.
> 
> > I cannot figure out what is this good for. Isn't tgid enough?
> 
> You have to define "enough". The ignore feature can be implemented
> however we want. Like the old trusted feature, it is there for
> applications to allow themselves to be ignored (as well as have some
> control over _how_ they are ignored).

I just don't thing it is necessary to make a difference between threads
of one process. Basically because I think that trusted framework should
be used just for one purpose(described later).

Also I found following comment in the dazuko_linux26.c file.

 <quote>
/* Same thread id and same file descriptors,
 * looks like they could be the same process...
 * We will treat two threads of the same process
 * as the same (for relation checks). This is
 * useful for the Trusted Application Framework,
 * if we trust one thread, we can trust them all.*/
</quote>

And I agree with this.

> 
> It is possible that a multi-threaded application only wants one of its
> threads to be ignored because the other threads are doing tasks (such
> as downloading files) that should _not_ be ignored.

I am not a big fan of this trusted thing, but it is needed. And from my
point of view, it is needed just for an AV's which are doing scan in a
different process then process which is accepting events(requests) from
dazuko. This is the only situation I am considering adequate to use
trusted framework.

> > AFAIK old dazuko supports whole process(including its threads) to be
> > trusted and all you need to do is to call dazukoRegisterTrusted just
> > once for each process.  Or am I missing something?
> 
> Actually that is only partially correct. Dazuko 2.x also uses the task
> struct (individual threads) to implement the trusted feature. However,
> dazukoRegisterTrusted() also had a flag DAZUKO_TRUST_CHILDREN that
> would allow all the threads of the process and all children-processes
> to be trusted.

I am aware of this. My option was that dazuko 2.x by default allows as
trusted process and all its threads. As I can see in the source code the
tgid is always checked.

dazuko_is_our_daemon
        |
        v
call_xp_id_compare(check_related is set)
        |
        v
xp_id_compare(linux26)
        |
        v
if (id1->tgid == id2->tgid && id1->files == id2->files)

More over I cannot not see that those checks are anyhow conditioned by
the DAZUKO_TRUST_CHILDREN. But maybe I am just missing something.

> 
> The DazukoFS ignore feature does not have such an option because I
> could not find a safe method for traversing process trees. But we
> could expand the feature to allow configuring it to trust all threads
> of a process. This is technically not necessary. It would only be
> there as a convenience for developers.
> 
> John Ogness
> 

I agree. This is just a step forward to developers, but I would find it
useful. 

Now why I am interested in this. I would like to implement(just
experimental) support for dauzkofs to our avg8 on-access scanner. The
reason for this is that I would like to have some performance
comparision dazukofs vs. avflt since there is none. 

-FH