From: Herbert Rosmanith <kernel@wildsau.enemy.org>
To: Kyle Moffett <mrmacman_g4@mac.com>
Cc: Robin Holt <holt@sgi.com>, linux-kernel@vger.kernel.org
Subject: Re: Q on audit, audit-syscall
Date: Wed, 5 Apr 2006 15:50:17 +0200 (MET DST) [thread overview]
Message-ID: <200604051350.k35DoIXF009872@wildsau.enemy.org> (raw)
In-Reply-To: <0CC157BB-7180-4B94-817A-E96A6099FBA6@mac.com>
> On Apr 5, 2006, at 08:06:30, Herbert Rosmanith wrote:
> >> On Wed, Apr 05, 2006 at 01:27:03PM +0200, Herbert Rosmanith wrote:
> >>>
> >>> good afternoon,
> >>>
> >>> I'm searching for a way to trace/intercept syscalls, both before
> >>> and after execution. "ptrace" is not an option (you probably know
> >>> why).
> >>
> >> Does strace do what you are asking for?
> >
> > as I said, "ptrace" is not an option.
>
> Why not, exactly? (No, we don't know why).
according to the man-page:
RETURN VALUES
EPERM The specified process [...] is already being traced.
this makes it unusable for me.
> ptrace is _the_ Linux mechanism to trace and intercept syscalls.
>
> There is no other way.
"there is no other way": [1,2,3,4]
regards,
h.rosmanith
[1] http://www.uniforum.chi.il.us/slides/HardeningLinux/LAuS-Design.pdf
[2] http://www.usenix.org/publications/library/proceedings/als01/full_papers/edwards/edwards.pdf
[3] http://www.citi.umich.edu/u/provos/papers/systrace.pdf
[4] http://www.nsa.gov/selinux/papers/freenix01.pdf
next prev parent reply other threads:[~2006-04-05 13:54 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-05 11:27 Q on audit, audit-syscall Herbert Rosmanith
2006-04-05 11:41 ` Robin Holt
2006-04-05 12:06 ` Herbert Rosmanith
2006-04-05 13:17 ` Kyle Moffett
2006-04-05 13:50 ` Herbert Rosmanith [this message]
2006-04-05 14:17 ` Kyle Moffett
2006-04-05 20:04 ` Herbert Rosmanith
2006-04-05 20:26 ` Robin Holt
2006-04-05 20:36 ` Valdis.Kletnieks
2006-04-05 21:47 ` Herbert Rosmanith
2006-04-05 22:30 ` Chris Wright
2006-04-05 22:46 ` Herbert Rosmanith
2006-04-05 22:55 ` Chris Wright
2006-04-05 22:57 ` Herbert Rosmanith
2006-04-06 4:24 ` Valdis.Kletnieks
2006-04-06 13:01 ` Stephen Smalley
2006-04-11 4:21 ` Q on audit, audit-syscall: insecure? Linda Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200604051350.k35DoIXF009872@wildsau.enemy.org \
--to=kernel@wildsau.enemy.org \
--cc=holt@sgi.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mrmacman_g4@mac.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox