From mboxrd@z Thu Jan  1 00:00:00 1970
From: mike@flyn.org (W. Michael Petullo)
Date: Wed, 28 Jun 2017 20:49:59 -0400
Subject: Keeping track of called syscalls in real-time
In-Reply-To: <50c1511b-dd32-b653-82bb-b17783f16dca@seds.nl>
References: <bda7a828-015e-7009-ce52-bfe885505380@seds.nl>
	<42397.1498684750@turing-police.cc.vt.edu>
	<19bc9ba9-5a95-7a4d-3763-57f3f695ef7f@seds.nl>
	<47802.1498688788@turing-police.cc.vt.edu>
	<50c1511b-dd32-b653-82bb-b17783f16dca@seds.nl>
Message-ID: <20170629004959.GA2529@imp.flyn.org>
To: kernelnewbies@lists.kernelnewbies.org
List-Id: kernelnewbies.lists.kernelnewbies.org

> Whenever fopen("/etc/shadow", "r") is called, the tool would intercept
> it, run the verify() procedure, and return back to the syscall, allowing
> it to do it's job.

This sounds like an LSM, possibly with a component which communicates
with userspace, depending on how sophisticated "verify" needs to be.

We've also done some very early work in trying to do this type of thing
from a hypervisor. See:

	https://www.flyn.org/projects/VisorFlow/

-- 
Mike

:wq