On Tue, Aug 31, 2004 at 08:15:56PM +0300, Anatoly Vorobey wrote: > [nitpicking follows]
[nitpickers are us]
> I'm not suggesting replacing the file (impossible in /proc w/o changing
> the kernel or the mounting), I'm suggesting replacing the
> *descriptor*.
I'm not suggesting replacing the file either - I'm suggesting opening
the original file (/proc/.../whatever), but keeping track of its fd,
and in subsequent calls to read, return your own data rather than data
from the file. In some cases (although not the specific one we're
talking about), simply replacing the descriptor is not enough, because
the file being read has some special properties that your "replacement
file" cannot easily emulate. Think ioctl then read on a special device
file, or terminal ioctls on /dev/tty. Either you provide these
functions, or you let them occur on the "real" fd and intervene
elsewhere, or things stop working.
> and will just happily read it all and then close it - you won't have to
> monitor those calls. That makes the whole process much simpler and
> easier to code.
Agreed, in this specific case. I was thinking ps/top might be doing
something funky with the /proc/$PID/* files they read, but it looks
like a very simple open/read/close, e.g.:
open("/proc/6/cmdline", O_RDONLY) = 8
read(8, "", 2047) = 0
close(8)
So yeah, hooking only open in LD_PRELOAD could work.
Cheers,
Muli
--
Muli Ben-Yehuda
http://www.mulix.org | http://mulix.livejournal.com/
signature.asc
Description: Digital signature
