As part of auditing purpose I need to intercept/hook open/read/write system calls.
I tried with below sample program. When I do a insmod of the module that was built, my system was hanged. On some re-search I came to know that we can not modify system call table as it is read only.
asmlinkage int (*original_call) (const char*, int, int);
asmlinkage int our_sys_open(const char* file, int flags, int mode)
printk("A file was opened\n");
return original_call(file, flags, mode);
// sys_call_table address in System.map
sys_call_table = (void*)0xc061e4e0;
original_call = sys_call_table[__NR_open];
sys_call_table[__NR_open] = our_sys_open;
// Restore the original call
sys_call_table[__NR_open] = original_call;
As I was lack of knowledge into kernel development.Could somebody help me out here ?
I'm working on RHEL-5 machine with Linux kernel version 2.6.18
Thanks & Regards,
Kernelnewbies mailing list
[Linux Kernel Development]