Explains from the Linux File Deletion mechanism why Linux has fewer viruses

Many people once said that there are not many viruses in Linux because there are not many users in Linux. people prefer to develop viruses in Linux. I laughed at this comment, many may have experienced explorer injection. If explorer is replaced and cannot be deleted, or a stubborn file under system32 cannot be deleted, unfortunately, it is a trojan. At this time, some popular tools on the Internet are useful, such as icesword, these tools have to use the kernel driver to delete those files by virtue of the kernel's ultra-high privilege. the Windows registry is also a hard nut to crack. Once the registry is tampered with, the consequences will be unimaginable, therefore, the Registry backup tool is necessary. The key to all of this lies in the Windows Kernel architecture. The windows startup process is very complex, not only the startup of the kernel, many other user space services are beyond the control of users. For example, before the Winlogon process can take over the system, many user space services have been started, even in the security mode, since the east of the user space The West can be started before the user takes over the system. If these are malicious programs, your system will be moved with the hacker's heart. It's horrible! Windows File ing is a very annoying mechanism that prevents important files from being deleted during access, of course, the virus cannot be deleted during use... all this is because Windows unifies file deletion, file protection, and system security. This is determined by the microkernel architecture, windows always tries its best to keep the system complete, but the structure is often counterproductive. Windows is a product, it does not want novice users to delete a system file due to their own misoperations, so that the system cannot be started and the fault is attributed to Microsoft. It has too many problems to consider. Linux does not. It uses a lazy mechanism to protect files and delivers the greatest freedom to users. It does not prevent you from deleting any files, because the system is basically a disk file, it even allows you to delete the kernel itself. The result is that it cannot be started again next time. Can you continue to run the kernel after it is deleted? Yes, yes. This is the lazy mechanism of Linux VFS for file deletion management. If someone is using this file, the system will not delete it. Another reason is that the Linux kernel is a large kernel, all of them are mapped to the physical memory. For the kernel, there is no paging Memory concept. Even if the disk file does not exist, there will be no problems as long as there is still memory. All File Deletion operations are equally treated. in Linux, only a reference count is displayed. Once the reference count is 0, the file will be deleted, if a file is used, the reference count of the file is at least 1, and the file can be deleted only when the user is no longer in use, the result is that when you delete an object, you can safely delete it. When the object is not used, the system will perform the final deletion, therefore, there are no files that cannot be deleted in Linux. Linux does not provide any protection for file deletion and does not coupling any other mechanism. The deletion semantics is very simple, that is, to decrease the reference count.

In addition, the Linux kernel and user space are clearly divided. Users can even define their own init = xxx parameters at startup so that the first process of the user space is defined by themselves, this decoupling of kernel space and kernel space is very important. In the init kernel thread, the kernel allows users to take over the system through execve a user process, which can be defined by themselves, but it is usually the/sbin/INIT process. The result is that even if all the user space is injected, You can first Delete these dirty files. Second, you can set up a clean INIT process defined by yourself. All you need to do is restart the system and everything is done, the powerful shell commands in Linux allow you to easily back up a clean and virus-free root file system. Therefore, antivirus in Linux is very simple. The first process that users can control their own user space is the key point here. This is very difficult in windows. If you want to replace the SMSs program, try it, the system will prompt you "Please make sure that the disk is not full or is not write-protected and the file is not used", and the dllcache under system32 is also a directory that you love and hate. If you do not believe it, try to delete ie manually.

The key point is not to try to protect files from being deleted. The operating system's user space should provide a system protection mechanism instead of letting the file system assume this responsibility, no matter how important the file is, the system should not provide a mechanism to protect it from being deleted, especially the kernel, because if the good people can be protected in this way, the robbers can also.

In Linux, two reference counts are used to manage the existence and deletion of files, which are I _count and I _nlink. The former indicates the current user, and the latter indicates the current number of media connections, the meaning of the two can also be understood as the former is the reference count of the file in the memory, while the latter is the reference count of the file on the disk, only when both are 0, the deletion of the media is actually performed. You can also say that I _nlink is a sufficient condition for the file to be deleted, and I _count is a necessary condition for the file to be deleted. Finally, I will describe it, if it is not for other management needs, it is enough to use a reference count instead of two. When deleting an object, you need to call Iput. Let's take a look at this function:

Void Iput (struct inode * inode)

{

If (inode ){

Struct super_operations * op = inode-> I _sb-> s_op;

If (OP & OP-> put_inode)

Op-> put_inode (inode );

If (atomic_dec_and_lock (& inode-> I _count, & inode_lock) // The reference count of the file's memory is 0.

Iput_final (inode );

}

}

Iput_final mainly calls a generic_drop_inode, And then you can see this generic_drop_inode:

Static void generic_drop_inode (struct inode * inode)

{

If (! Inode-> I _nlink)

Generic_delete_inode (inode );

Else

Generic_forget_inode (inode );

}

It can be seen that the memory reference count is 0, which is a prerequisite. After all, the memory reference count represents the process's access to the file, the following delete operation can be weighed only when no process accesses the file:

Void generic_delete_inode (struct inode * inode)

{

Struct super_operations * op = inode-> I _sb-> s_op;

List_del_init (& inode-> I _list );

Inode-> I _state | = I _freeing;

Inodes_stat.nr_inodes --;

Spin_unlock (& inode_lock );

If (inode-> I _data.nrpages)

Truncate_inode_pages (& inode-> I _data, 0 );

Security_inode_delete (inode );

If (OP-> delete_inode ){

Void (* Delete) (struct inode *) = op-> delete_inode;

If (! Is_bad_inode (inode ))

Dquot_init (inode );

Delete (inode); // The delete callback function related to the file system finally destroys the inode of the disk.

} Else

Clear_inode (inode );

Spin_lock (& inode_lock );

Hlist_del_init (& inode-> I _hash );

Spin_unlock (& inode_lock );

Wake_up_inode (inode );

If (inode-> I _state! = I _clear)

Bug ();

Destroy_inode (inode );

}

The above function shows that the inode destroy operation is a callback function for the super block operation of the file system. This is reasonable because the super block of the file system is used to manage the global data, block allocation of all common files and idle block management must be implemented by it. Therefore, this should be its responsibility. For example, some file systems are pseudo file systems, it is also disguised as a block file, such as a memory file system, which has no non-Easy loss media at all, so there is no need to provide a real Delete callback function. In short, what is a file system like and how it should be managed? Its super block is the clearest. Linux VFS is actually a very beautiful image. Different file systems have different behaviors. The core of VFS is responsible for coordinating them so that they can cooperate better and have reached the security of the final system, stable and efficient.

Only one operation to delete a file is Unlink. It cannot be seen from the name. In fact, any operation to delete a file in Linux will eventually come down to this Unlink, the essence of this system call is to decrease the reference count of the file disk, that is, to decrease the I _nlink counter. In principle, file deletion and file unlinking have different meanings, however, they are unified to a consistent system call. The two are the same meaning from different perspectives, and the deletion is from the file itself, the unlink is from the user's point of view. Now let's take a look at the system call that is used together by two semantics:

Asmlinkage long sys_unlink (const char _ User * pathname)

{

...

If (! Is_err (dentry )){

If (Nd. Last. name [Nd. Last. Len])

Goto slashes;

Inode = dentry-> d_inode;

If (inode)

Atomic_inc (& inode-> I _count );

Error = vfs_unlink (Nd. dentry-> d_inode, dentry); // call the unlink function of a specific File System

Exit2:

Dput (dentry );

}

Up (& Nd. dentry-> d_inode-> I _sem );

If (inode)

Iput (inode );

...

}

Static int ext2_unlink (struct inode * Dir, struct dentry * dentry)

{

Struct inode * inode = dentry-> d_inode;

...

Ext2_dec_count (inode); // decreases the reference count of I _nlink OF THE inode.

Err = 0;

Out:

Return err;

}

Just now I said that using a reference count can handle everything. How can I do this? We will not discuss the too complex inode here. We will only discuss it in files. We will set the initial reference count of the file to 1. Once a file is opened, the reference count will increase progressively. Once closed, the inode will decrease, only when unlink is used, it increments once, twice, and once in total. Here we do not discuss file ing. We only think that all operation files must be opened before access. In this way, if a process is disabled after a file is accessed, the reference count of the file is decreased only to the time when the file is accessed open, which is equal to the reference count before the file is opened, in either case, if the reference count of the file is 0, the file will be deleted. This mechanism simply clarifies the lazy mechanism of File Deletion in Linux, it is this mechanism that makes Linux virus nowhere to hide. If you only manage file deletion, a reference count is enough, but Unix/Linux generally does not allow an entity to have multiple roles. If you need other meanings in reality, A new data structure will be abstracted for this new meaning. In file management, I _nlink appears to manage hard links of files.