Re: hook of syscall

• Next message: Petri Kaukasoina: "Re: 2.2.15pre19 and screen"
• Previous message: Eric Buddington: "Doubled times on Athlon 2.3.99-pre5"
• In reply to: Tigran Aivazian: "Re: hook of syscall"
• Next in thread: Pavel Machek: "Re: hook of syscall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In <Pine.LNX.4.21.0004201544260.972-100000@saturn.homenet> Tigran Aivazian (tigran@veritas.com) wrote:
TA> On Tue, 18 Apr 2000, Khimenko Victor wrote:
>> > yes, an example of changing system calls (temporarily) is in a timetravel
>> > module I wrote ages ago:
>>
>> > http://www.ocston.org/~tigran/tt/tt.html
>>
>> Hmm. I've not looked on your beast yet, but I'm puzzled: you can intercept
>> userspace calls easily (you do not need do it in kernel in fact: take look on
>> strace/ltrace/etc) but sometimes kernel just calls sys_open directly ! Is it
>> intercepted in your timetravel module as well ?

TA> changing system calls implementation, i.e. replacing them (perhaps
TA> temporarily) is quite different from intercepting or more correctly
TA> "tracing" them, which is what strace/ltrace do.

No. There are NO such "deep difference".

TA> Tracing is a weak form of replacing, i.e. can be thought of as "replacing
TA> with a copy surrounded by a chunk of code that dumps some arguments,
TA> return codes etc."

... "or doing any other things like calling OTHER system calls".

TA> Have a look at tracesys: label in entry.S and at syscall_trace() function
TA> in arch/i386/kerne/ptrace.c to see what I am talking about.

TA> See the difference now?

TA> However, I know that intercepting (and not just tracing) can be done in
TA> userspace using LD_PRELOAD facility of shared libraries. This leaves one
TA> case where a kernel implementation is a "must" - statically linked
TA> binaries.

You CAN intercept all system calls from userspace even for statically linked
binary. Yes, it's slower and trickier then kernel-space solution but it's also
MUCH safer: it affect only one process, not whole system.

P.S. Hint:
-- entry.S --
...
ENTRY(system_call)
        pushl %eax # save orig_eax
        SAVE_ALL
        GET_CURRENT(%ebx)
        cmpl $(NR_syscalls),%eax
        jae badsys
        testb $0x20,flags(%ebx) # PF_TRACESYS
        jne tracesys
...
tracesys:
        movl $-ENOSYS,EAX(%esp)
        call SYMBOL_NAME(syscall_trace)
        movl ORIG_EAX(%esp),%eax
        cmpl $(NR_syscalls),%eax
        jae tracesys_exit
        call *SYMBOL_NAME(sys_call_table)(,%eax,4)
        movl %eax,EAX(%esp) # save the return value
tracesys_exit:
        call SYMBOL_NAME(syscall_trace)
        jmp ret_from_sys_call
...
-- cut --
Why %eax compared with NR_syscalls twice ? Think about it...

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Petri Kaukasoina: "Re: 2.2.15pre19 and screen"
• Previous message: Eric Buddington: "Doubled times on Athlon 2.3.99-pre5"
• In reply to: Tigran Aivazian: "Re: hook of syscall"
• Next in thread: Pavel Machek: "Re: hook of syscall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:17 EST