Skip to main content

Python wrapper for Sophos On-access filter

Project description

What is PyTalpa?

This is really just a dirty hack at the moment to see how
Python could be used as a file system operation interceptor
on Linux. You simply derive a class from pytalpa.talpa and
create methods for the operations you're interested in.

What is Talpa?

Talpa is part of the Sophos Anti-Virus scanner for Linux.
It is a kernel driver which intercepts (at the kernel level)
access to the file system, and allows a userland vetting
client to allow or deny the operation.

Where can I get Talpa?

Talpa is obtainable from the Sophos Anti-Virus for Linux
product. Please obtain a demo copy of the Sophos Anti-virus
product from The SAV tarball contains the
Talpa source (in talpa-srcpack.tar) which is itself GPLed,
even though the rest of the product is non-free. Once you
have the demo the GPL allows you unrestricted use of the
GPLed parts, i.e. Talpa.


These instructions apply to kernel, Slackare 11.0.
2.6.18 is not supported by Talpa at the moment. Earlier kernels
should work, but you'll need to experiment with which
modules to load. A good approach would be to see which
modules SAV (Sophos Anti-Virus) loads.

1) Unpack the talpa source pack:
cd /usr/src
tar xzf /opt/sophos-av/talpa/talpa-srcpack.tgz
cd talpa-1.1.0

2) Configure and build Talpa:

3) I had to remove the capability module from my kernel, or
I got an error loading one of the modules:
rmmod capability

4) Load the Talpa modules.
insmod talpa_linux.ko
insmod talpa_core.ko
insmod talpa_vcdevice.ko
insmod talpa_lsm.ko capabilities=1

5) Setup the exclusions to we get all the events.
echo disable >

6) Enable the interception events
echo enable > /proc/sys/talpa/interceptors/LSMInterceptor/status

7) To run the example client that comes with Talpa:
make exampleclients

8) Alternatively skip (7) and use the Python version :-):
tar xvf PyTalpa-0.1.tar.gz
cd PyTalpa-0.1
python build
cp build/*/ .

While running create a file called
SomeUniqueName.txt in another terminal. You should find that
you can create it but not append anything to it.

Have fun!


On shutdown of the vetting loop there's a segfault. I really
can't be bothered to track this one down - patches welcome!

Project details

Release history Release notifications | RSS feed

This version


Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page