Hi, I'm trying to write a simple module that will abort socket() calls for the attached process. It's nothing serious, just for learning purposes. What I have so far is largely based on crash-suspend.c so I didn't feel the need to share any source code. I can, however, if need be. I have a few questions:
1. From what I've read in the DocBook pages I've figured out that I have to have two report entries. One for syscall_entry and one for syscall_exit. On syscall_entry I should use syscall_get_nr() and check if this number is equal to __NR_socket and return UTRACE_SYSCALL_ABORT in that case and on syscall_exit, I need to call syscall_rollback() to rollback the registers if utrace_syscall_action(action) returns UTRACE_SYSCALL_ABORT. Is this correct? 2. First I've read the documentation from Roland's page and figured out it's out of date. report_syscall_entry callback used to have a struct task_struct argument but now it doesn't. How should I get a "struct task_struct" to pass to syscall_get_nr? Am I supposed to keep a reference to the "struct pid" I used in init_module() and use pid_task(pid, PIDTYPE_PID) or should I use find_get_pid() just as I used in the init_module()? 3. In the report_syscall_exit callback, is the "struct pt_regs" argument there so that the user can directly pass it to syscall_rollback() or do I have to save the registers I had in report_syscall_entry() callback and use them instead? 4. __NR_socket is available on some architectures and it's implemented on top of __NR_socketcall on others. I'm running this example on x86_64. How should my module figure out which mode the target process is running in? I suppose this is related to the CS register. Having figured that how am I supposed to include system call numbers from both architectures and use __NR_socketcall for 32bit mode and __NR_socket for 64bit? 5. Is there any project in the outer-space that does something like this, sandboxing or monitoring system calls, from which I can learn more? Thanks for reading. -- Regards, Ali Polatel
pgpWr4WBTUM0p.pgp
Description: PGP signature
