how to get filename of execve() system call from kernel module which install hook to syscall table to intercept original syscall in kernels before 4.2 and atter 4.2 ? X86_64

kernelnewbies.kernelnewbies.org archive mirror
 help / color / mirror / Atom feed

From: greg@kroah.com (Greg KH)
To: kernelnewbies@lists.kernelnewbies.org
Subject: how to get filename of execve() system call from kernel module which install hook to syscall table to intercept original syscall in kernels before 4.2 and atter 4.2 ? X86_64
Date: Wed, 8 Mar 2017 13:33:20 +0100	[thread overview]
Message-ID: <20170308123320.GA3730@kroah.com> (raw)
In-Reply-To: <7229751488975657@web39j.yandex.ru>

On Wed, Mar 08, 2017 at 03:20:57PM +0300, Lev Olshvang wrote:
> Hi Greg,
> ?
> Thank you for a prompt reply. My intention is to build some euristics for
> Intrusion detection of embedded based on sequence of syscalls.
> I am collecting syscall events and send then with netlink to my monitor.
> Since platform may use SELinux or other LSM, I thought the hook of syscall is
> the only point I can use to catch syscalls.
> ?
> Is it wrong direction ?

Yes it is, please use the audit subsystem for something like that, it is
exactly what it was designed and built for.  You can do everything you
want to from userspace.

> I was googling and reading kernel git logs trying find out the why execve,
> clone, fork use assembly glue code instead of calling sys_execve like others
> syscalls.
> Can you give me some point where to look?

Nope, don't mess with that :)

good luck!

greg k-h

next prev parent reply	other threads:[~2017-03-08 12:33 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-06  7:18 how to get filename of execve() system call from kernel module which install hook to syscall table to intercept original syscall in kernels before 4.2 and atter 4.2 ? X86_64 Lev Olshvang
2017-03-07 19:22 ` Greg KH
2017-03-07 20:00   ` valdis.kletnieks at vt.edu
2017-03-08 12:20   ` Lev Olshvang
2017-03-08 12:33     ` Greg KH [this message]
2017-03-08 19:15     ` valdis.kletnieks at vt.edu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170308123320.GA3730@kroah.com \
    --to=greg@kroah.com \
    --cc=kernelnewbies@lists.kernelnewbies.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).