Python wrapper for Sophos On-access filter
Project description
What is PyTalpa?
This is really just a dirty hack at the moment to see how
Python could be used as a file system operation interceptor
on Linux. You simply derive a class from pytalpa.talpa and
create methods for the operations you're interested in.
What is Talpa?
Talpa is part of the Sophos Anti-Virus scanner for Linux.
It is a kernel driver which intercepts (at the kernel level)
access to the file system, and allows a userland vetting
client to allow or deny the operation.
Where can I get Talpa?
Talpa is obtainable from the Sophos Anti-Virus for Linux
product. Please obtain a demo copy of the Sophos Anti-virus
product from www.sophos.com. The SAV tarball contains the
Talpa source (in talpa-srcpack.tar) which is itself GPLed,
even though the rest of the product is non-free. Once you
have the demo the GPL allows you unrestricted use of the
GPLed parts, i.e. Talpa.
Quickstart:
These instructions apply to kernel 2.6.17.13, Slackare 11.0.
2.6.18 is not supported by Talpa at the moment. Earlier kernels
should work, but you'll need to experiment with which
modules to load. A good approach would be to see which
modules SAV (Sophos Anti-Virus) loads.
1) Unpack the talpa source pack:
cd /usr/src
tar xzf /opt/sophos-av/talpa/talpa-srcpack.tgz
cd talpa-1.1.0
2) Configure and build Talpa:
./configure
make
3) I had to remove the capability module from my kernel, or
I got an error loading one of the modules:
rmmod capability
4) Load the Talpa modules.
insmod talpa_linux.ko
insmod talpa_core.ko
insmod talpa_vcdevice.ko
insmod talpa_lsm.ko capabilities=1
5) Setup the exclusions to we get all the events.
echo disable >
/proc/sys/talpa/intercept-filters/OperationExclusionProcessor/status
6) Enable the interception events
echo enable > /proc/sys/talpa/interceptors/LSMInterceptor/status
7) To run the example client that comes with Talpa:
make exampleclients
./clients/vc
8) Alternatively skip (7) and use the Python version :-):
tar xvf PyTalpa-0.1.tar.gz
cd PyTalpa-0.1
python setup.py build
cp build/*/pytalpa.so .
./test.py
While running test.py create a file called
SomeUniqueName.txt in another terminal. You should find that
you can create it but not append anything to it.
Have fun!
BUGS:
On shutdown of the vetting loop there's a segfault. I really
can't be bothered to track this one down - patches welcome!
This is really just a dirty hack at the moment to see how
Python could be used as a file system operation interceptor
on Linux. You simply derive a class from pytalpa.talpa and
create methods for the operations you're interested in.
What is Talpa?
Talpa is part of the Sophos Anti-Virus scanner for Linux.
It is a kernel driver which intercepts (at the kernel level)
access to the file system, and allows a userland vetting
client to allow or deny the operation.
Where can I get Talpa?
Talpa is obtainable from the Sophos Anti-Virus for Linux
product. Please obtain a demo copy of the Sophos Anti-virus
product from www.sophos.com. The SAV tarball contains the
Talpa source (in talpa-srcpack.tar) which is itself GPLed,
even though the rest of the product is non-free. Once you
have the demo the GPL allows you unrestricted use of the
GPLed parts, i.e. Talpa.
Quickstart:
These instructions apply to kernel 2.6.17.13, Slackare 11.0.
2.6.18 is not supported by Talpa at the moment. Earlier kernels
should work, but you'll need to experiment with which
modules to load. A good approach would be to see which
modules SAV (Sophos Anti-Virus) loads.
1) Unpack the talpa source pack:
cd /usr/src
tar xzf /opt/sophos-av/talpa/talpa-srcpack.tgz
cd talpa-1.1.0
2) Configure and build Talpa:
./configure
make
3) I had to remove the capability module from my kernel, or
I got an error loading one of the modules:
rmmod capability
4) Load the Talpa modules.
insmod talpa_linux.ko
insmod talpa_core.ko
insmod talpa_vcdevice.ko
insmod talpa_lsm.ko capabilities=1
5) Setup the exclusions to we get all the events.
echo disable >
/proc/sys/talpa/intercept-filters/OperationExclusionProcessor/status
6) Enable the interception events
echo enable > /proc/sys/talpa/interceptors/LSMInterceptor/status
7) To run the example client that comes with Talpa:
make exampleclients
./clients/vc
8) Alternatively skip (7) and use the Python version :-):
tar xvf PyTalpa-0.1.tar.gz
cd PyTalpa-0.1
python setup.py build
cp build/*/pytalpa.so .
./test.py
While running test.py create a file called
SomeUniqueName.txt in another terminal. You should find that
you can create it but not append anything to it.
Have fun!
BUGS:
On shutdown of the vetting loop there's a segfault. I really
can't be bothered to track this one down - patches welcome!
