Kernel Generalized Event Management

File Release Notes and Changelog

Release Name: 1.0.4

Notes: This release includes an IOCTL interface for giving commands to KGEM from user space, as well as a set of IOCTL functions for filtering event content. Also included is an experimental netlink socket interface (as an alternative to using procfs), and a shared library that provides user functions for working with KGEM.

---

Changes: Oct 19, 2004 - Release 1.0.4 - Create shared libraries to contain userland functions for working with KGEM rather than require apps to know about /proc/kgem/subscribe. This also allows an application to optionally connect using netlink sockets. - Remove gem_hook_av_sys from 2.6 kernel package Oct 5, 2004 - Release 1.0.4 - Fix minor bugs which arose when building on 2.6 kernel - Remove hard coded references to AV modules in hooks. Replace with filtering calls from user space utility. - Allow process exemption to extend to threads. Sep 29, 2004 - Release 1.0.4 - Really complete implementation of IOCTL functions for managing exemption lists. Sep 9, 2004 - Release 1.0.3 - Implement netlink socket transport mechanism to coexist with /proc Sep 1, 2004 - Release 1.0.3 - Remove ioctl_bklrelease parameter - Complete implemention of IOCTL functions for managing exempt pid, uid, image, and path lists. Aug 25, 2004 - Release 1.0.2 - Include temporary code for exempting anti-virus processes from events - Improve gemstart script - Built patch for inclusion in kernel source tree - Get rid of pesky compile warnings Aug 10, 2004 - Release 1.0.2 - Added gem_hook_av_sys.c to implement anti-virus hooks via syscall table for 2.4 and 2.6 kernel - Improved Makefile (Dmitri) - Modifications to allow files to be built as part of base kernel as well as loadable modules. - Starting to implement app-specific IOCTL functions - Corrected various bugs encountered in testing with AV prototype June 8, 2004 - Release 1.0.1 - Added following parameters to kernel module: bypass_root=1|0 - bypass events for root user (for testing) ioctl_bklrelease=0|1 - release big kernel lock for duration of ioctl (for testing only) gem_debug=0|1 - Send debug messages to kmsg loglevel=n - Set logging level (not yet implemented) - Added ability to use IOCTL to receive events instead of read/write (for testing only) - Miscellaneous bug fixes - Miscellaneous updates to support other kernel versions - Created gem_hook_av.c, gem_av_events.h, and gem_av_user.h to implement anti-virus hooks as an lsm module - Added an 'idnum' field to gem_event_inst, event_subscribe, gem_event_subscribe, and event_rec structures. This is a number that can be used to identify an event, so that a listening application can use a switch or an array index to process multiple event types rather than calling strcmp() on the name field. The subscribing application decides which numbers are to be used when it does the subscribing. Apr 30, 2004 - Release 1.0.0 - First public release of code