how to get filename of execve() system call from kernel module which install hook to syscall table to intercept original syscall in kernels before 4.2 and atter 4.2 ? X86_64

[Greg KH]

On Wed, Mar 08, 2017 at 03:20:57PM +0300, Lev Olshvang wrote:
> Hi Greg,
>  
> Thank you for a prompt reply. My intention is to build some euristics for
> Intrusion detection of embedded based on sequence of syscalls.
> I am collecting syscall events and send then with netlink to my monitor.
> Since platform may use SELinux or other LSM, I thought the hook of syscall is
> the only point I can use to catch syscalls.
>  
> Is it wrong direction ?

Yes it is, please use the audit subsystem for something like that, it is
exactly what it was designed and built for.  You can do everything you
want to from userspace.

> I was googling and reading kernel git logs trying find out the why execve,
> clone, fork use assembly glue code instead of calling sys_execve like others
> syscalls.
> Can you give me some point where to look?

Nope, don't mess with that :)

good luck!

greg k-h