On Mon, Feb 25, 2002 at 11:43:05AM -0500, israel fdez wrote: > I need to audit file that are going to be executed, I'm intercepting the > "execve" system calls changing the sys_call_table, but I've a doubt > about the function I have to use; I'm using the "sys_execve(struct > pt_regs regs)" function in linux/arch/i386/kernel/process.c it is ok? no. note that the prototypes is : sys_execve(struct pt_regs regs) not sys_execve(struct pt_regs * regs) and think about what execve needs to do to the saved EIP register value, and what happens with calling orig_sys_execve() and see what syscalltracker / others does instead ! john -- "Yes, I understand your point, but This Is UA, and not some fluffy creche." - Topper -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ IRC Channel: irc.openprojects.net / #kernelnewbies Web Page: http://www.kernelnewbies.org/
