On Mon, 21 Sep 2009, Jamie Lokier wrote: > I think so to, and that'd be a great all round solution. If this is for anti-malware vendors to intercept userspace accesses they're currently doing it by hacking the syscall table, why don't we offer a way to monitor syscalls (kernel side) in a non racy way? Modules can [un]register themselves for syscall intercaption, and receive the syscall number and parameters. They'd be able to change paramters, return error codes, and so on. The cost of the check in the syscall path could even be under an alternative-like patching, if really neeeded. The Pros of this would be: - The kernel code to implement this would be trivially small, with no I-need-this-feature-too growth potential - There won't be any externally visible API to maintain (and its kernel counter part) and expand - Any system call can be intercepted, allowing it to be flexible while leaving the burden of the interception handling, and communication with userspace policy enforcers, to the anti-malware (or whoever really) companies modules The anti-malware are already doing this (intercepting syscall), they already have code for it, and they always did (writing kernel modules/drivers, that is) for Windows. - Davide -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html