Keeping track of called syscalls in real-time

[W. Michael Petullo]

> Whenever fopen("/etc/shadow", "r") is called, the tool would intercept
> it, run the verify() procedure, and return back to the syscall, allowing
> it to do it's job.

This sounds like an LSM, possibly with a component which communicates
with userspace, depending on how sophisticated "verify" needs to be.

We've also done some very early work in trying to do this type of thing
from a hypervisor. See:

	https://www.flyn.org/projects/VisorFlow/

-- 
Mike

:wq