This article describes the behavior of kernel modules with ENSLTP.
Kernel module names:
ENSLTP is shipped with two kernel modules. The modules are named
fileaccess_mod_<version>.ko and
mfeaack_<version>.ko.
Loading of kernel modules:
When ENSLTP is configured with on-access scanning enabled, the product inserts
fileaccess_ mod_<version>.ko into the memory. When ENSLTP is configured with Access Protection enabled, the product inserts
mfeaack_<version>.ko in memory.
Unloading of kernel modules:
The modules
fileaccess_ mod_<version>.ko and
mfeaack_<version>.ko are unloaded from the memory when the on-access scanning and Access Protection features are disabled respectively. The modules have capabilities to detect whether third-party kernel modules have patched on top of ENSLTP. This feature restricts unload of ENSLTP kernel modules, if a third-party kernel module patch is detected on top of ENSLTP.
Consider a third-party kernel module
sample_module.ko that requires a system call patching of
NR_open. The following behavior occurs.
Module Unload Scenario 1:
The modules are loaded in the following order:
mfeaack_<version>
.ko,
fileaccess_ mod_<version>
.ko, and
sample_module.ko.
- Access Protection is disabled. mfeaack_<version>.ko is unloaded.
- On-access scan (OAS) is disabled. fileaccess_ mod_<version>.ko isn't unloaded.
Module Unload Scenario 2:
The modules are loaded in the following order:
mfeaack_<version>
.ko,
sample_module.ko, and
fileaccess_ mod_<version>
.ko.
- Access Protection is disabled. mfeaack_<version>.ko isn't unloaded.
- OAS is disabled. fileaccess_ mod_<version>.ko is unloaded.
Module Unload Scenario 3:
The modules are loaded in the following order:
mfeaack_<version>
.ko,
sample_module.ko, and
fileaccess_ mod_<version>
.ko.
- OAS is disabled. fileaccess_ mod_<version>.ko is unloaded.
- The sample_module.ko is unloaded.
- Access Protection is disabled. mfeaack_<version>.ko is unloaded.
Module Unload Scenario 4:
The modules are loaded in the following order:
mfeaack_<version>
.ko,
sample_module.ko, and
fileaccess_ mod_<version>
.ko.
- A future hotfix containing kernel module fixes is being installed.
- fileaccess_ mod_<version>.ko is unloaded and fileaccess_ mod_<version>.ko is loaded.
- mfeaack_<version>.ko isn't unloaded and mfeaack_<version>.ko is loaded.
NOTE: The third-party module patch is detected on top of
mfeaack_<version>
.ko. Both the old version and new version of the module are loaded into the memory to avoid any kernel panics.