how to get filename of execve() system call from kernel module which install hook to syscall table to intercept original syscall in kernels before 4.2 and atter 4.2 ? X86_64

valdis.kletnieks at vt.edu valdis.kletnieks at vt.edu
Tue Mar 7 15:00:15 EST 2017


On Tue, 07 Mar 2017 20:22:33 +0100, Greg KH said:
> On Mon, Mar 06, 2017 at 10:18:26AM +0300, Lev Olshvang wrote:

> Why do you want to hook a syscall?  that's a very complex, and broken,
> and ill-advised thing to do.  Please don't do that.
>
> What problem are you trying to solve here that led you to think that
> putting a syscall hook in is a good solution?

To expand on that - most cases where you want to hook execve() to get
the filename should *already* be doable via the LSM (Linux Security Module)
interface.

If you're just doing a chainsaw patch that won't be distributed, a good
starting point is to just add to security/yama/yama_lsm.c (all that does
currently is mediate calls to ptrace()).  If you're trying to build an
entirely new LSM, the Yama code is a good framework to copy...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170307/2a311450/attachment.bin 


More information about the Kernelnewbies mailing list