On Fri, Sep 14, 2001 at 02:52:17AM -0000, ashahab@bii-sg.org wrote:
>
> I'm trying to write a Loadable Kernel Module for linux 2.4 that would log
> info of the calling process/user everytime an execve is called. I got some
> info about this from the web but it seems that the code does'nt work for
> linux 2.4.
first, why bother, there are at least two existing already. Look for syscalltracker
on sourceforge.
I don't know where you got your info, it is totally wrong.
> int my_execve(const char *filename, const char *argv[], const char *envp[])
> {
> long __res = 0;
> __asm__ volatile ("int $0x80":"=a" (__res):"0"(__NR_myexecve), "b"((long) (filename)), "c"((long) (argv)), "d"((long) (envp)));
this is wrong, you shouldn't be calling 0x80 again. Just call the overloaded original call again.
Additionally, this is not what sys_execve looks like in the kernel. Check the kernel source.
> return (int) __res;
>
> int wrapped_execve( const char *filename, const char *argv[], const char *envp[])
but your real problem here is that sys_execve is not trivially overloadable as it directly
affects saved registers on the stack, rather than going through pointers or whatever. You
must instead replicate the code of sys_execve() and call do_execve() from your module.
Again, check existing code.
Note that you must also bump module counts to prevent unloading of the module at the wrong time
(and even this is unsafe on SMP).
regards
john
--
"Who can afford to do professional work for nothing ? What hobbyist can put
3-man years into programming, finding all bugs, documenting his product and
distribute for free ?"
- Bill Gates
-
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
IRC Channel: irc.openprojects.net / #kernelnewbies
Web Page: http://www.kernelnewbies.org/
