Re: How to hook the system call?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Wed, Nov 23, 2011 at 6:05 PM, Geraint Yang <geraint0923@xxxxxxxxx> wrote:
> Hi,
> I have tried the LSM framework,but when I make my module , I got
> "waining:'register_security' undefined", then I check security/security.c
> and found out that register_security is not exported ! So if I want to use
> this function ,I must hack kernel by exporting and recompiling kernel which
> is allowed for me.
> So ...well, it seems that LSM doesn't work for module without modifying the
> kernel source.
> On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu <alex.juncu@xxxxxxxxxx>
> wrote:
>> On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923@xxxxxxxxx>
>> wrote:
>> > Hi,
>> > Thank all of you for helping me with problem!
>> > I don't want to modify my kernel source so I am trying to learn to use
>> > LSM
>> > security hook even though it seems that it couldn't hook all the system
>> > calls, I think it should be enough for me.
>> > Thanks again!
>> I know that AppArmor can hock syscalls like read, write and memory
>> mapping and can deny or accept them. I am not sure if you can make it
>> do something else when hocked, but I know it has a script-like
>> configuration, so maybe you can take some other actions.

If you can hook the system calls, you could try KProbes, is a dynamic
instrumentation, that is used in Linux Kernel.
You could use a JProbe to "capture" the function parameters of the
instrumented function.

If you have KProbes in your kernel, you can create a module to
instrument the syscall  that you want.
Maybe it can be a starting point for you ...

Other projects that use KProbes are DProbes and SystemTap, you can
also give it a look.

> --
> Geraint Yang
> Tsinghua University Department of Computer Science and Technology
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies@xxxxxxxxxxxxxxxxx

Nuno Martins

Kernelnewbies mailing list

[Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Photo]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Networking]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]

  Powered by Linux