Query regarding kernel modules intercepting system call.

Ajinkya Surnis surnisaa at gmail.com
Sat Jul 8 10:23:31 EDT 2017


Actually, I've been given an assignment to write a kernel module such that
whenever a certain system call (e.g. open()) is executed, the control
should come to my new module; then it will do some processing on the
parameters and then call the actual syscall function (sys_open()).
I only found the way of intercepting 'sys_call_table'. I know this kind of
hacking is probably not a good idea.
Can you suggest any alternative way?
I would really appreciate.

Thanks,
Ajinkya.

On Sat, Jul 8, 2017 at 7:43 PM, Greg KH <greg at kroah.com> wrote:

> On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote:
> > Hi guys,
> >
> > I'm new to kernelnewbies and this is my first question in the list.
> >
> >
> > I'm working on system call interception (for open() system call) and I
> got one
> > problem: I have two kernel modules (mod1 and mod2) and both of them are
> trying
> > to intercept open() syscall. I've loaded mod1 first and then mod2.
> > The mod1 intercepted open() by:
> >
> > original_open1 = sys_call_table[__NR_open];
> > sys_call_table[__NR_open] = mod1_open;
> >
> > Here original_open1 would be sys_open. After
> this, mod2 intercepted open() by:
> >
> > original_open2 = sys_call_table[__NR_open];
> > sys_call_table[__NR_open] = mod2_open;
>
> Eeek!  First of, don't do this, you are seeing why you should not do
> this already, no need to have to explain in detail why this is a bad
> thing :)
>
> >
> > problem is: Suppose I unload mod1 first and open() system call gets
> executed,
> > then mod2_open() would get called, which ultimately calls mod1_open().
> >
> > Since mod1 is already unloaded, calling mod1_open() caused panic (since
> the
> > function pointer is no longer a valid memory region).
> >
> > I need some mechanism to avoid this problem. Basically, I want a
> solution which
> > facilitates loading/unloading the modules (which intercept same syscall)
> in any
> > random order without causing any panic.
>
> Why doy ou feel you wish to grab the system call in the first place?
> What problem are you trying to solve where this is the only solution?
>
> > Is there some kind of facility such that while unloading the module
> (`mod2`
> > here), the module will broadcast the message to all other modules that
> it's
> > being unloaded and instead of refering to `original_open2()` the other
> modules
> > should use `original_open1()`.
>
> Nope, don't try to grab syscalls, it's a bad idea, and you get to keep
> the pieces your kernel will be in when things die (and they will die...)
>
> sorry,
>
> greg k-h
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170708/b33b4799/attachment.html 


More information about the Kernelnewbies mailing list