Re: system call logging in userspace
Man strace, or http://subterfugue.org > Hello, > > I'm not very experienced with dealing directly with the kernel, so I was > hoping for a little advice... > > I'd like to implement some sort of rudimentary (file)system-call logging. > Specifically, I'd like information about write, open, creat, unlink, and > maybe a few others to be pushed into userspace. Mostly, I'd just like to > know what files are being created, modified, and deleted as it happens. > > It seems quite easy to me -- I was thinking of doing this with a module. > I'll just grab the pointer from sys_call_table[__NR_open] and replace it with > my own little wrapper that does nothing but call the original function, and > then log the call in some manner. > > > > asmlinkage int my_sys_open(const char *fname, int flags, int mode) > { > [preliminary stuff] > > returnval = real_sys_open(fname, flags, mode); > > [log information based on returnval, fname, whatever]; > > return returnval; > } > > > int init_module() > { > [other stuff] > > real_sys_open = sys_call_table[__NR_open]; > sys_call_table[__NR_open] = my_sys_open; > return 0; > } > > init cleanup_module() > { > sys_call_table[__NR_open] = real_sys_open; > } > > === > > The simplicity of the whole thing is what scares me a little bit. Am I being > horribly naive about something here? It seems like an obviously useful > module to have around, and yet I've never seen it and I couldn't find anyone > who had done it already. Is there a much better way to accomplish this than > loading in a module? Am I risking serious fs corruption? > > It occurs to me that I may have some problems if something else changes the > sys_call_table[__NR_open] and the two modules don't cooperate... > > Thanks. > - -- > Chad Hogan [EMAIL PROTECTED] > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE61kkHiSF5tViVwg0RAkMOAJ4rMTC/xvvknmiSf512Y5d06ezdpgCfZH+s > rEQ6ltXalr2SVqFg7lhIFYc= > =iBPm > -END PGP SIGNATURE- > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt, details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: system call logging in userspace
Man strace, or http://subterfugue.org Hello, I'm not very experienced with dealing directly with the kernel, so I was hoping for a little advice... I'd like to implement some sort of rudimentary (file)system-call logging. Specifically, I'd like information about write, open, creat, unlink, and maybe a few others to be pushed into userspace. Mostly, I'd just like to know what files are being created, modified, and deleted as it happens. It seems quite easy to me -- I was thinking of doing this with a module. I'll just grab the pointer from sys_call_table[__NR_open] and replace it with my own little wrapper that does nothing but call the original function, and then log the call in some manner. asmlinkage int my_sys_open(const char *fname, int flags, int mode) { [preliminary stuff] returnval = real_sys_open(fname, flags, mode); [log information based on returnval, fname, whatever]; return returnval; } int init_module() { [other stuff] real_sys_open = sys_call_table[__NR_open]; sys_call_table[__NR_open] = my_sys_open; return 0; } init cleanup_module() { sys_call_table[__NR_open] = real_sys_open; } === The simplicity of the whole thing is what scares me a little bit. Am I being horribly naive about something here? It seems like an obviously useful module to have around, and yet I've never seen it and I couldn't find anyone who had done it already. Is there a much better way to accomplish this than loading in a module? Am I risking serious fs corruption? It occurs to me that I may have some problems if something else changes the sys_call_table[__NR_open] and the two modules don't cooperate... Thanks. - -- Chad Hogan [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE61kkHiSF5tViVwg0RAkMOAJ4rMTC/xvvknmiSf512Y5d06ezdpgCfZH+s rEQ6ltXalr2SVqFg7lhIFYc= =iBPm -END PGP SIGNATURE- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ -- Philips Velo 1: 1"x4"x8", 300gram, 60, 12MB, 40bogomips, linux, mutt, details at http://atrey.karlin.mff.cuni.cz/~pavel/velo/index.html. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
system call logging in userspace
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I'm not very experienced with dealing directly with the kernel, so I was hoping for a little advice... I'd like to implement some sort of rudimentary (file)system-call logging. Specifically, I'd like information about write, open, creat, unlink, and maybe a few others to be pushed into userspace. Mostly, I'd just like to know what files are being created, modified, and deleted as it happens. It seems quite easy to me -- I was thinking of doing this with a module. I'll just grab the pointer from sys_call_table[__NR_open] and replace it with my own little wrapper that does nothing but call the original function, and then log the call in some manner. asmlinkage int my_sys_open(const char *fname, int flags, int mode) { [preliminary stuff] returnval = real_sys_open(fname, flags, mode); [log information based on returnval, fname, whatever]; return returnval; } int init_module() { [other stuff] real_sys_open = sys_call_table[__NR_open]; sys_call_table[__NR_open] = my_sys_open; return 0; } init cleanup_module() { sys_call_table[__NR_open] = real_sys_open; } === The simplicity of the whole thing is what scares me a little bit. Am I being horribly naive about something here? It seems like an obviously useful module to have around, and yet I've never seen it and I couldn't find anyone who had done it already. Is there a much better way to accomplish this than loading in a module? Am I risking serious fs corruption? It occurs to me that I may have some problems if something else changes the sys_call_table[__NR_open] and the two modules don't cooperate... Thanks. - -- Chad Hogan [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE61kkHiSF5tViVwg0RAkMOAJ4rMTC/xvvknmiSf512Y5d06ezdpgCfZH+s rEQ6ltXalr2SVqFg7lhIFYc= =iBPm -END PGP SIGNATURE- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
system call logging in userspace
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I'm not very experienced with dealing directly with the kernel, so I was hoping for a little advice... I'd like to implement some sort of rudimentary (file)system-call logging. Specifically, I'd like information about write, open, creat, unlink, and maybe a few others to be pushed into userspace. Mostly, I'd just like to know what files are being created, modified, and deleted as it happens. It seems quite easy to me -- I was thinking of doing this with a module. I'll just grab the pointer from sys_call_table[__NR_open] and replace it with my own little wrapper that does nothing but call the original function, and then log the call in some manner. asmlinkage int my_sys_open(const char *fname, int flags, int mode) { [preliminary stuff] returnval = real_sys_open(fname, flags, mode); [log information based on returnval, fname, whatever]; return returnval; } int init_module() { [other stuff] real_sys_open = sys_call_table[__NR_open]; sys_call_table[__NR_open] = my_sys_open; return 0; } init cleanup_module() { sys_call_table[__NR_open] = real_sys_open; } === The simplicity of the whole thing is what scares me a little bit. Am I being horribly naive about something here? It seems like an obviously useful module to have around, and yet I've never seen it and I couldn't find anyone who had done it already. Is there a much better way to accomplish this than loading in a module? Am I risking serious fs corruption? It occurs to me that I may have some problems if something else changes the sys_call_table[__NR_open] and the two modules don't cooperate... Thanks. - -- Chad Hogan [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE61kkHiSF5tViVwg0RAkMOAJ4rMTC/xvvknmiSf512Y5d06ezdpgCfZH+s rEQ6ltXalr2SVqFg7lhIFYc= =iBPm -END PGP SIGNATURE- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/