How to hook the system call?

Nuno Martins nuno.m.g.martins at gmail.com
Wed Nov 23 13:20:39 EST 2011


On Wed, Nov 23, 2011 at 6:05 PM, Geraint Yang <geraint0923 at gmail.com> wrote:
> Hi,
> I have tried the LSM framework,but when I make my module , I got
> "waining:'register_security' undefined", then I check security/security.c
> and found out that register_security is not exported ! So if I want to use
> this function ,I must hack kernel by exporting and recompiling kernel which
> is allowed for me.
> So ...well, it seems that LSM doesn't work for module without modifying the
> kernel source.
>
>
>
> On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu <alex.juncu at rosedu.org>
> wrote:
>>
>> On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923 at gmail.com>
>> wrote:
>> > Hi,
>> > Thank all of you for helping me with problem!
>> > I don't want to modify my kernel source so I am trying to learn to use
>> > LSM
>> > security hook even though it seems that it couldn't hook all the system
>> > calls, I think it should be enough for me.
>> > Thanks again!
>>
>> I know that AppArmor can hock syscalls like read, write and memory
>> mapping and can deny or accept them. I am not sure if you can make it
>> do something else when hocked, but I know it has a script-like
>> configuration, so maybe you can take some other actions.
>
>

If you can hook the system calls, you could try KProbes, is a dynamic
instrumentation, that is used in Linux Kernel.
You could use a JProbe to "capture" the function parameters of the
instrumented function.

If you have KProbes in your kernel, you can create a module to
instrument the syscall  that you want.
Maybe it can be a starting point for you ...

Other projects that use KProbes are DProbes and SystemTap, you can
also give it a look.

>
> --
> Geraint Yang
> Tsinghua University Department of Computer Science and Technology
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>

-- 
Nuno Martins



More information about the Kernelnewbies mailing list