Query regarding kernel modules intercepting system call.

Aruna Hewapathirane aruna.hewapathirane at gmail.com
Sat Jul 8 15:36:09 EDT 2017 

On Sat, Jul 8, 2017 at 2:19 PM, Ajinkya Surnis <surnisaa at gmail.com> wrote:

> Hello Aruna,
>
> Thanks a lot for your help.
>

Your welcome, and it is advisable not to top post when replying. Since your
new this is to be expected.
But in future please do not, will likely upset a lot of folks here who have
the experience and knowledge to help you.
You need them, I need them so best never again to top post.


> I'm aware that a single kernel module will accomplish syscall interception.
> In fact, I submitted my solution to the interviewers. Here's my source
> code:
>
> https://github.com/Ajinkya-Veritas/Test-Module/blob/master/testmod.c
>
> However, the interviewer had done a weird scenario where he created two
> modules from same code.
> (mod1 and mod2) So obviously, they would intercept same system call.
> After loading those modules and unloading them in same order caused panic,
> which I described in detail
> initially.
> My goal is to avoid panic, but couldn't find out how.
>

It is difficult to provide guidance without actually looking at the two
'weird' modules but what I would do is

EXPORT_SYMBOL(check_if_original_mod1_is_loaded) then test against that ?

If it is available you use original_open2 if not available you fall back to
open1 ?

This may not be the correct way or linux way but if it works why not ? You
can always ask here again... why not post the two modules and see if some
one can identify where and what is causing the kernel to panic ?

I would also get on IRC and join #kernelnewbies, you get real time answers
most times and you get access to some of the most experienced folks there.
Who believe it or not are extremely patient and helpful with newbies :)


>
> Thanks,
> Ajinkya.
>
>
> On Sat, Jul 8, 2017 at 11:36 PM, Aruna Hewapathirane <
> aruna.hewapathirane at gmail.com> wrote:
>
>> Hello Ajinkya,
>>
>> On Sat, Jul 8, 2017 at 12:14 PM, Greg KH <greg at kroah.com> wrote:
>>
>>> On Sat, Jul 08, 2017 at 09:38:52PM +0530, Ajinkya Surnis wrote:
>>> > Actually, this is not a college assignment. I'm a professional software
>>> > engineer who is completely new to kernel programming.
>>>
>>
>> Welcome to the world of kernel hacking and speaking the 'truth' and being
>> 'honest'
>> does have it's benefits as you will see soon :)
>>
>>
>>> > I recently gave an interview to one cloud security firm. The
>>> interviewer gave
>>> > me this particular assignment, since this kind of functionality is
>>> needed in
>>> > their software.
>>>
>>
>> Wish you good luck with the job !
>>
>>
>>> > Now I'm aware that the approach I have (syscall interception) is wrong.
>>> > But I also need to find out alternate mechanism to achieve my goal.
>>> > I searched really hard, but got nothing.
>>>
>>
>> Go through the link below very carefully, you do not require two modules.
>> One single module
>> that intercepts a syscall and does what you have to do.. please do pay
>> careful attention to the comments
>> within the code!
>>
>> https://github.com/jvns/kernel-module-fun/blob/master/rickroll.c
>>
>>
>>>
>>> So it's a programming test to get a job?  That's worse than trying to
>>> cheat on an exam, as it would mean that I pass the test, not you :(
>>>
>>
>> Though I agree 110% with gregkh 'I' also have been where Ajinkya is
>> coming from so many times.
>> I have been there, done that too many times to walk away now so.. I
>> understand the man's pain and frustration.
>> So against my better judgement I have given him something if he studies
>> carefully will help him to do what its is he must.
>>
>>>
>>> good luck!
>>>
>>> greg k-h
>>>
>>>
>> Greg, he told us the plain truth and all he wants is some guidance. If I
>> am out of line you can bust me as usual on IRC ! How is telling the simple
>> and plain 'truth' equate to 'cheating" ? Duhh...
>>
>> Good luck, hope this helps - Aruna
>>
>>
>>
>>
>>
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
>>> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170708/8b92a19b/attachment.html

More information about the Kernelnewbies mailing list