From: Chad Hogan <Chad.Hogan@inphinity.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: system call logging in userspace
Date: Thu, 12 Apr 2001 17:32:07 -0700 [thread overview]
Message-ID: <0104121732070D.51519@usul.inphinity.com> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I'm not very experienced with dealing directly with the kernel, so I was
hoping for a little advice...
I'd like to implement some sort of rudimentary (file)system-call logging.
Specifically, I'd like information about write, open, creat, unlink, and
maybe a few others to be pushed into userspace. Mostly, I'd just like to
know what files are being created, modified, and deleted as it happens.
It seems quite easy to me -- I was thinking of doing this with a module.
I'll just grab the pointer from sys_call_table[__NR_open] and replace it with
my own little wrapper that does nothing but call the original function, and
then log the call in some manner.
================
asmlinkage int my_sys_open(const char *fname, int flags, int mode)
{
[preliminary stuff]
returnval = real_sys_open(fname, flags, mode);
[log information based on returnval, fname, whatever];
return returnval;
}
int init_module()
{
[other stuff]
real_sys_open = sys_call_table[__NR_open];
sys_call_table[__NR_open] = my_sys_open;
return 0;
}
init cleanup_module()
{
sys_call_table[__NR_open] = real_sys_open;
}
===========
The simplicity of the whole thing is what scares me a little bit. Am I being
horribly naive about something here? It seems like an obviously useful
module to have around, and yet I've never seen it and I couldn't find anyone
who had done it already. Is there a much better way to accomplish this than
loading in a module? Am I risking serious fs corruption?
It occurs to me that I may have some problems if something else changes the
sys_call_table[__NR_open] and the two modules don't cooperate...
Thanks.
- --
Chad Hogan chad.hogan@inphinity.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE61kkHiSF5tViVwg0RAkMOAJ4rMTC/xvvknmiSf512Y5d06ezdpgCfZH+s
rEQ6ltXalr2SVqFg7lhIFYc=
=iBPm
-----END PGP SIGNATURE-----
next reply other threads:[~2001-04-13 0:32 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-04-13 0:32 Chad Hogan [this message]
2001-04-16 15:37 ` system call logging in userspace Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0104121732070D.51519@usul.inphinity.com \
--to=chad.hogan@inphinity.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.