Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/docs/source/architecture.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/source/architecture.rst')
-rw-r--r--docs/source/architecture.rst69
1 files changed, 37 insertions, 32 deletions
diff --git a/docs/source/architecture.rst b/docs/source/architecture.rst
index 59b55f8..2caec16 100644
--- a/docs/source/architecture.rst
+++ b/docs/source/architecture.rst
@@ -13,66 +13,71 @@ Format of network messages
--------------------------
-1. Format of messages to file access registrar::
+1. Format of messages to the File Access Registrar::
<time of event: sec since 1970>
<event type: open, read, write>
<name of file>
<building stage: stagename or unknown>
<result:OK,ERR/errno,ASKING,DENIED>
-2. Format of answer for ASKING packet from registrar::
+2. Format of answer for ASKING packet from File Access Registrar::
<ALLOW | DENY>
*Notes:*
* All sockets are SOCK_SEQPACKET
-* All fields are delimited with character with code 0
+* All fields are delimited with character \0
-How Hooklib approach works?
-===========================
+How does the Hooklib approach work?
+===================================
-The main idea of Hooklib approach is to load a dynamic library-hooker
-**before** any other library(including the C runtime, libc.so).
-So, the functions, such as open, read and write, executed from this library
-instead of libc.so.
+The main idea behind the Hooklib approach is to load a dynamic library-hook
+**before** any other library(including the C runtime).
+So, the calls to functions such as open, read and write, are intercepted
+using this library, instead of executing the ones in *libc*.
-Hooklib module modifies Linux's dynamic linker behavior changing LD_PRELOAD
-environment variable(see
+Hooklib module modifies Linux's dynamic linker behavior, changing LD_PRELOAD
+environment variable (see
`man 8 ld-linux <http://linux.die.net/man/8/ld-linux>`_ for details).
-Module protects LD_PRELOAD variable from further changes by program.
+This module also protects LD_PRELOAD variable from further changes by executing
+program.
-When hooklib module loads, it connects to file access registrar via Unix domain
-sockets. If program forks or creates a new thread, another copy of library
-loads.
+When Hooklib is loaded, it connects to the File Access Registrar via Unix domain
+sockets. If a program forks or creates a new thread, another copy of the library
+loads to register events from this new process/thread.
-When program do open(...), read(...), write(...), library send an information
-about a call to registrar. Registar can block or allow an event. If registrer
-allows an event then the original function is called. Else error
-"file not found" is returned.
+When a program calls open(...), read(...), write(...), Hooklib sends a message
+about a call to the File Access Registrar. The Registar can then block
+or allow this event. If Registrar responds to the previous query with
+an ALLOW packet, then the original function is called. Otherwise, the function
+is not called and a "File not Found" error is returned instead.
-How Fusefs approach works?
-==========================
+How does the Fusefs approach work?
+==================================
-The main idea if Fusefs approach is to create a loggable filesystem in userspace
-and chroot a program into it.
+The main idea of the Fusefs approach is to create a loggable filesystem in userspace
+and jail a program into it, using a chroot.
-Before program is launched registrar prepare mounts. It usually do:
+Before the program is launched, The File Access Registrar prepare the mounts.
+It would usually take the following steps:
1. mount -o bind / /mnt/rootfs/
-2. mount /dev/, /dev/pts, /dev/shm, /proc/, /sys/ same way
+2. mount /dev, /dev/pts, /dev/shm, /proc/, /sys/ binding them to /mnt/rootfs
3. mount /lib64/, /lib32/, /var/tmp/portage/ same way to increase performance at
cost of accuracy
-4. launch fuse over /mnt/rootfs/
+4. launch FUSE over /mnt/rootfs/
-Fuse module blocks all external access to /mnt/rootfs while program runs.
-
-Fuse module also asks the registrar about event allowness.
+Fuse module blocks all external access to /mnt/rootfs while the program runs.
+The FUSE module will also ask the File Access Registrar to check whether access to
+files inside the chroot are allowed or denied. As with the Hooklib approach, if
+access to a file is denied, a "File not Found" error is returned.
*Notes:*
-* Checking for allowness takes a much time
+* Checking for permission to access a file with the File Access Registrar, takes a
+lot of time under this approach.
Futher analysis of file access events
=====================================
@@ -90,6 +95,6 @@ unuseful packages.
Rules of heuristics
-------------------
-1. *Package is not useful if all files are .desktop or .xml or .m4*.
+1. *Package is not useful if all files are .desktop, .xml or .m4*.
Aclocal util tries to read all .m4 files in /usr/share/aclocal directory.
- Files ending on .desktop and .xml often readed on postrm phase. \ No newline at end of file
+ Files ending on .desktop and .xml are often read in the postrm phase. \ No newline at end of file