hello.I'm developing a Linux kernel module (capturing filesystem I/O to process data).After completing the development and testing the compatibility of a third party, I found out that your sophos antivirus for linux(centos 6/7, ubuntu 18/20) product is using the redirfs module, and there is a problem with this module working with my kernel driver.
I tried to solve this problem in some way, but We've found that products using redirfs are completely incompatible as a result, as they can cause serious problems (panic, hang, not rebootable) if they are installed on one node at the same time.
What I'm curious about is this. Are there any plans to switch the redirfs module used by your product to some other way? Or I'm just wondering how you're dealing with these compatibility issues.
I look forward to your reply.
I'll add something missing from the question above.We are also using the redirfs module to capture Linux I/O. So I/'m talking about a conflict with the redirfs used by sophos.
Sophos Anti-Virus for Linux 9/10 use either Talpa or fanotify to intercept file operations.
Sophos Protection for Linux will use fanotify in future to intercept file operations, and various other hooking mechanisms to get Runtime detections.
As far as I'm aware we don't use redirfs.
We've had a few problems with Talpa conflicting with other system-call intercepting modules, and Talpa is written defensively to try to avoid crashing the machine.
Hello, thank you for answering my question.
I think I misunderstood. I guess I thought of your talpa_vfshook as the same module as redirfs . I was wrong about that.However, that talpa_vfshook module conflicts with mine is no different from the redirfs conflict situation. (Please understand that this is a question while testing many other products that use redirfs )
My question is this.
I wonder if there are any plans to change this talpa_vfshook implementation to something other than a hook method in the future (no hook chain's problem).
Sophos Anti-Virus for Linux 9/10 is being retired next year, so no significant work is planned for it. Since Sophos Protection for Linux won't use Talpa, we won't be doing work on Talpa. Talpa uses vfs hooking since it's the only mechanism we've found that works (for loadable modules).
When layering happens, the best your module can do is check it isn't going to immediately crash the system, and inform the user they need to reboot.
Thanks for your kind reply.
We plan to keep the VFS Hook method for now (since there is no other alternative right now).
After reviewing Wrapfs first, we will do research to see if there is another way. By that time, our current VFS Hook products will have been installed on the market and I think we are enjoying a panic dump.
Good luck to you.