<div dir="ltr">Actually, I've been given an assignment to write a kernel module such that whenever a certain system call (e.g. open()) is executed, the control should come to my new module; then it will do some processing on the parameters and then call the actual syscall function (sys_open()).<div>I only found the way of intercepting 'sys_call_table'. I know this kind of hacking is probably not a good idea.</div><div>Can you suggest any alternative way?</div><div>I would really appreciate.</div><div><br></div><div>Thanks,</div><div>Ajinkya.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jul 8, 2017 at 7:43 PM, Greg KH <span dir="ltr"><<a href="mailto:greg@kroah.com" target="_blank">greg@kroah.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote:<br>
> Hi guys,<br>
><br>
> I'm new to kernelnewbies and this is my first question in the list.<br>
><br>
><br>
> I'm working on system call interception (for open() system call) and I got one<br>
> problem: I have two kernel modules (mod1 and mod2) and both of them are trying<br>
> to intercept open() syscall. I've loaded mod1 first and then mod2.<br>
> The mod1 intercepted open() <wbr>by:<br>
><br>
> original_open1 = sys_call_table[__NR_open];<br>
> sys_call_table[__NR_open] = mod1_open;<br>
><br>
> Here original_open1 would be sys_open. After this, mod2 intercepted open() <wbr>by:<br>
><br>
> original_open2 = sys_call_table[__NR_open];<br>
> sys_call_table[__NR_open] = mod2_open;<br>
<br>
</span>Eeek! First of, don't do this, you are seeing why you should not do<br>
this already, no need to have to explain in detail why this is a bad<br>
thing :)<br>
<span class=""><br>
><br>
> problem is: Suppose I unload mod1 first and open() system call gets executed,<br>
> then mod2_open() would get called, which ultimately calls mod1_open().<br>
><br>
> Since mod1 is already unloaded, calling mod1_open() caused panic (since the<br>
> function pointer is no longer a valid memory region).<br>
><br>
> I need some mechanism to avoid this problem. Basically, I want a solution which<br>
> facilitates loading/unloading the modules (which intercept same syscall) in any<br>
> random order without causing any panic.<br>
<br>
</span>Why doy ou feel you wish to grab the system call in the first place?<br>
What problem are you trying to solve where this is the only solution?<br>
<span class=""><br>
> Is there some kind of facility such that while unloading the module (`mod2`<br>
> here), the module will broadcast the message to all other modules that it's<br>
> being unloaded and instead of refering to `original_open2()` the other modules<br>
> should use `original_open1()`.<br>
<br>
</span>Nope, don't try to grab syscalls, it's a bad idea, and you get to keep<br>
the pieces your kernel will be in when things die (and they will die...)<br>
<br>
sorry,<br>
<br>
greg k-h<br>
</blockquote></div><br></div>