What is PyTalpa?
This is really just a dirty hack at the moment to see how
Python could be used as a file system operation interceptor
on Linux. You simply derive a class from pytalpa.talpa and
create methods for the operations you're interested in.
What is Talpa?
Talpa is part of the Sophos Anti-Virus scanner for Linux.
It is a kernel driver which intercepts (at the kernel level)
access to the file system, and allows a userland vetting
client to allow or deny the operation.
Where can I get Talpa?
Talpa is obtainable from the Sophos Anti-Virus for Linux
product. Please obtain a demo copy of the Sophos Anti-virus
product from www.sophos.com. The SAV tarball contains the
Talpa source (in talpa-srcpack.tar) which is itself GPLed,
even though the rest of the product is non-free. Once you
have the demo the GPL allows you unrestricted use of the
GPLed parts, i.e. Talpa.
These instructions apply to kernel 220.127.116.11, Slackare 11.0.
2.6.18 is not supported by Talpa at the moment. Earlier kernels
should work, but you'll need to experiment with which
modules to load. A good approach would be to see which
modules SAV (Sophos Anti-Virus) loads.
1) Unpack the talpa source pack:
tar xzf /opt/sophos-av/talpa/talpa-srcpack.tgz
2) Configure and build Talpa:
3) I had to remove the capability module from my kernel, or
I got an error loading one of the modules:
4) Load the Talpa modules.
insmod talpa_lsm.ko capabilities=1
5) Setup the exclusions to we get all the events.
echo disable >
6) Enable the interception events
echo enable > /proc/sys/talpa/interceptors/LSMInterceptor/status
7) To run the example client that comes with Talpa:
8) Alternatively skip (7) and use the Python version :-):
tar xvf PyTalpa-0.1.tar.gz
python setup.py build
cp build/*/pytalpa.so .
While running test.py create a file called
SomeUniqueName.txt in another terminal. You should find that
you can create it but not append anything to it.
On shutdown of the vetting loop there's a segfault. I really
can't be bothered to track this one down - patches welcome!