Re: system call logging in userspace

2001-04-16 Thread Pavel Machek 

Man strace, or http://subterfugue.org

> Hello,
> 
> I'm not very experienced with dealing directly with the kernel, so I was 
> hoping for a little advice...
> 
> I'd like to implement some sort of rudimentary (file)system-call logging.  
> Specifically, I'd like information about write, open, creat, unlink, and 
> maybe a few others to be pushed into userspace.  Mostly, I'd just like to 
> know what files are being created, modified, and deleted as it happens.
> 
> It seems quite easy to me -- I was thinking of doing this with a module.  
> I'll just grab the pointer from sys_call_table[__NR_open] and replace it with 
> my own little wrapper that does nothing but call the original function, and 
> then log the call in some manner.
> 
> 
> 
> asmlinkage int my_sys_open(const char *fname, int flags, int mode)
> {
>  [preliminary stuff]
> 
>  returnval = real_sys_open(fname, flags, mode);
> 
>  [log information based on returnval, fname, whatever];
> 
>  return returnval;
> }
> 
> 
> int init_module()
> {
>  [other stuff]
> 
>  real_sys_open = sys_call_table[__NR_open];
>  sys_call_table[__NR_open] = my_sys_open;
>  return 0;
> }
> 
> init cleanup_module()
> {
>  sys_call_table[__NR_open] = real_sys_open;
> }
> 
> ===
> 
> The simplicity of the whole thing is what scares me a little bit.  Am I being 
> horribly naive about something here?  It seems like an obviously useful 
> module to have around, and yet I've never seen it and I couldn't find anyone 
> who had done it already.  Is there a much better way to accomplish this than 
> loading in a module?  Am I risking serious fs corruption?
> 
> It occurs to me that I may have some problems if something else changes the 
> sys_call_table[__NR_open] and the two modules don't cooperate...
> 
> Thanks.
> - -- 
> Chad Hogan [EMAIL PROTECTED]
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE61kkHiSF5tViVwg0RAkMOAJ4rMTC/xvvknmiSf512Y5d06ezdpgCfZH+s
> rEQ6ltXalr2SVqFg7lhIFYc=
> =iBPm
> -END PGP SIGNATURE-
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [EMAIL PROTECTED]
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: system call logging in userspace

2001-04-16 Thread Pavel Machek 

Man strace, or http://subterfugue.org

 Hello,
 
 I'm not very experienced with dealing directly with the kernel, so I was 
 hoping for a little advice...
 
 I'd like to implement some sort of rudimentary (file)system-call logging. 
 Specifically, I'd like information about write, open, creat, unlink, and 
 maybe a few others to be pushed into userspace. Mostly, I'd just like to 
 know what files are being created, modified, and deleted as it happens.
 
 It seems quite easy to me -- I was thinking of doing this with a module. 
 I'll just grab the pointer from sys_call_table[__NR_open] and replace it with 
 my own little wrapper that does nothing but call the original function, and 
 then log the call in some manner.
 
 
 
 asmlinkage int my_sys_open(const char *fname, int flags, int mode)
 {
  [preliminary stuff]
 
  returnval = real_sys_open(fname, flags, mode);
 
  [log information based on returnval, fname, whatever];
 
  return returnval;
 }
 
 
 int init_module()
 {
  [other stuff]
 
  real_sys_open = sys_call_table[__NR_open];
  sys_call_table[__NR_open] = my_sys_open;
  return 0;
 }
 
 init cleanup_module()
 {
  sys_call_table[__NR_open] = real_sys_open;
 }
 
 ===
 
 The simplicity of the whole thing is what scares me a little bit. Am I being 
 horribly naive about something here? It seems like an obviously useful 
 module to have around, and yet I've never seen it and I couldn't find anyone 
 who had done it already. Is there a much better way to accomplish this than 
 loading in a module? Am I risking serious fs corruption?
 
 It occurs to me that I may have some problems if something else changes the 
 sys_call_table[__NR_open] and the two modules don't cooperate...
 
 Thanks.
 - -- 
 Chad Hogan [EMAIL PROTECTED]
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.0.4 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE61kkHiSF5tViVwg0RAkMOAJ4rMTC/xvvknmiSf512Y5d06ezdpgCfZH+s
 rEQ6ltXalr2SVqFg7lhIFYc=
 =iBPm
 -END PGP SIGNATURE-
 -
 To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
 the body of a message to [EMAIL PROTECTED]
 More majordomo info at  http://vger.kernel.org/majordomo-info.html
 Please read the FAQ at  http://www.tux.org/lkml/

-- 
Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt,
details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

system call logging in userspace

2001-04-12 Thread Chad Hogan 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

I'm not very experienced with dealing directly with the kernel, so I was 
hoping for a little advice...

I'd like to implement some sort of rudimentary (file)system-call logging.  
Specifically, I'd like information about write, open, creat, unlink, and 
maybe a few others to be pushed into userspace.  Mostly, I'd just like to 
know what files are being created, modified, and deleted as it happens.

It seems quite easy to me -- I was thinking of doing this with a module.  
I'll just grab the pointer from sys_call_table[__NR_open] and replace it with 
my own little wrapper that does nothing but call the original function, and 
then log the call in some manner.



asmlinkage int my_sys_open(const char *fname, int flags, int mode)
{
 [preliminary stuff]

 returnval = real_sys_open(fname, flags, mode);

 [log information based on returnval, fname, whatever];

 return returnval;
}


int init_module()
{
 [other stuff]

 real_sys_open = sys_call_table[__NR_open];
 sys_call_table[__NR_open] = my_sys_open;
 return 0;
}

init cleanup_module()
{
 sys_call_table[__NR_open] = real_sys_open;
}

===

The simplicity of the whole thing is what scares me a little bit.  Am I being 
horribly naive about something here?  It seems like an obviously useful 
module to have around, and yet I've never seen it and I couldn't find anyone 
who had done it already.  Is there a much better way to accomplish this than 
loading in a module?  Am I risking serious fs corruption?

It occurs to me that I may have some problems if something else changes the 
sys_call_table[__NR_open] and the two modules don't cooperate...

Thanks.
- -- 
Chad Hogan [EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE61kkHiSF5tViVwg0RAkMOAJ4rMTC/xvvknmiSf512Y5d06ezdpgCfZH+s
rEQ6ltXalr2SVqFg7lhIFYc=
=iBPm
-END PGP SIGNATURE-
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

system call logging in userspace

2001-04-12 Thread Chad Hogan 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

I'm not very experienced with dealing directly with the kernel, so I was 
hoping for a little advice...

I'd like to implement some sort of rudimentary (file)system-call logging. 
Specifically, I'd like information about write, open, creat, unlink, and 
maybe a few others to be pushed into userspace. Mostly, I'd just like to 
know what files are being created, modified, and deleted as it happens.

It seems quite easy to me -- I was thinking of doing this with a module. 
I'll just grab the pointer from sys_call_table[__NR_open] and replace it with 
my own little wrapper that does nothing but call the original function, and 
then log the call in some manner.



asmlinkage int my_sys_open(const char *fname, int flags, int mode)
{
 [preliminary stuff]

 returnval = real_sys_open(fname, flags, mode);

 [log information based on returnval, fname, whatever];

 return returnval;
}


int init_module()
{
 [other stuff]

 real_sys_open = sys_call_table[__NR_open];
 sys_call_table[__NR_open] = my_sys_open;
 return 0;
}

init cleanup_module()
{
 sys_call_table[__NR_open] = real_sys_open;
}

===

The simplicity of the whole thing is what scares me a little bit. Am I being 
horribly naive about something here? It seems like an obviously useful 
module to have around, and yet I've never seen it and I couldn't find anyone 
who had done it already. Is there a much better way to accomplish this than 
loading in a module? Am I risking serious fs corruption?

It occurs to me that I may have some problems if something else changes the 
sys_call_table[__NR_open] and the two modules don't cooperate...

Thanks.
- -- 
Chad Hogan [EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE61kkHiSF5tViVwg0RAkMOAJ4rMTC/xvvknmiSf512Y5d06ezdpgCfZH+s
rEQ6ltXalr2SVqFg7lhIFYc=
=iBPm
-END PGP SIGNATURE-
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/