Keeping track of called syscalls in real-time
Ben Mezger
su at seds.nl
Wed Jun 28 18:06:56 EDT 2017
I'm actually formulating my thesis project. I am looking for a way to
intercept system calls (those chosen by the users), where I can keep
track of what syscall has been called and by who.
A big picture of the _main_ idea of interception would be: Application
called a syscall -> Intercept and delay call -> do something before the
call -> return back to the syscall.
By real-time I mean as soon as an application called a syscall (i.e.
fopen), I could then receive a reply from the kernel informing me X
called fopen, where X could be a pid or whatever.
>> Have you looked at the syscall audit facility?
I have not. Are you talking about auditctl?
On 06/28/2017 06:19 PM, valdis.kletnieks at vt.edu wrote:
> On Wed, 28 Jun 2017 17:48:15 -0300, Ben Mezger said:
>> Can the kernel keep track of all the system calls that were called by an
>> application/module in real-time?
>> I know I can statically use strace, or even gdb, but I am looking for a
>> solution in real time when the application/module is already running and
>> the user has no control over it.
>
> What actual problem are you trying to solve by having the information?
>
> How "real-time" does it have to be?
>
> Have you looked at the syscall audit facility?
>
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
--
- seds
~> https://seds.nl
More information about the Kernelnewbies
mailing list