Actually, I've been given an assignment to write a kernel module such that whenever a certain system call (e.g. open()) is executed, the control should come to my new module; then it will do some processing on the parameters and then call the actual syscall function (sys_open()). I only found the way of intercepting 'sys_call_table'. I know this kind of hacking is probably not a good idea. Can you suggest any alternative way? I would really appreciate.
Thanks, Ajinkya. On Sat, Jul 8, 2017 at 7:43 PM, Greg KH <[email protected]> wrote: > On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote: > > Hi guys, > > > > I'm new to kernelnewbies and this is my first question in the list. > > > > > > I'm working on system call interception (for open() system call) and I > got one > > problem: I have two kernel modules (mod1 and mod2) and both of them are > trying > > to intercept open() syscall. I've loaded mod1 first and then mod2. > > The mod1 intercepted open() by: > > > > original_open1 = sys_call_table[__NR_open]; > > sys_call_table[__NR_open] = mod1_open; > > > > Here original_open1 would be sys_open. After > this, mod2 intercepted open() by: > > > > original_open2 = sys_call_table[__NR_open]; > > sys_call_table[__NR_open] = mod2_open; > > Eeek! First of, don't do this, you are seeing why you should not do > this already, no need to have to explain in detail why this is a bad > thing :) > > > > > problem is: Suppose I unload mod1 first and open() system call gets > executed, > > then mod2_open() would get called, which ultimately calls mod1_open(). > > > > Since mod1 is already unloaded, calling mod1_open() caused panic (since > the > > function pointer is no longer a valid memory region). > > > > I need some mechanism to avoid this problem. Basically, I want a > solution which > > facilitates loading/unloading the modules (which intercept same syscall) > in any > > random order without causing any panic. > > Why doy ou feel you wish to grab the system call in the first place? > What problem are you trying to solve where this is the only solution? > > > Is there some kind of facility such that while unloading the module > (`mod2` > > here), the module will broadcast the message to all other modules that > it's > > being unloaded and instead of refering to `original_open2()` the other > modules > > should use `original_open1()`. > > Nope, don't try to grab syscalls, it's a bad idea, and you get to keep > the pieces your kernel will be in when things die (and they will die...) > > sorry, > > greg k-h >
_______________________________________________ Kernelnewbies mailing list [email protected] https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
