On Thu, 2005-06-02 at 09:55, Gaurav Dhiman wrote:
> Please try to send the code as inline attachment, its easy to comment
> on code in that case.
>
> Well read my comments inlined in your code below.
>
> > #include <linux/kernel.h>
> > #include <linux/unistd.h>
> > #include <linux/module.h>
> > #include<linux/linkage.h>
> > /*#include<linux/syscall.h>*/
> >
> > unsigned long *sys_call_table;
> > asmlinkage unsigned long (*original_call)(const char*);
> >
> > asmlinkage long our_sys_unlink(const char *filename )
> > {
> > printk("File is about to get deleted " ); /* print a message when a file is to be
> > deleted*/
printk() calls should always include a message level - KERN_INFO,
KERN_WARN, KERN_ERROR, etc. Additionally, like printf(), you need to
include '\n' at end of a logical message.
> > printk("%s",filename);
>
> You should not do this, as file name is the pointer to user memory and
> user memory can any time be swaped out, so you first do copy the
> filename from user buffer to kernel buffer using copy_from_user
> function and then pass the pointer to your kernel buffer to printk()
You can use getname() function to copy the filename argument from user
space to kernel space. Be sure and call putname() to free the storage
before returning from the function.
>
> > return original_call(filename); /* call the function at orignal address to remove the file*/
> > }
> >
> > int init_module()
> > {
> >
> > sys_call_table = (unsigned long *)0xc030a0f0; /* this address can be found by
>
Bad idea to hard code a symbol address without performing some kind of
sanity check. You should pick an exported syscall function, such as
sys_read(), and check the corresponding sys_call_table entry to make
sure it matches, for example:
if (sys_call_table[__NR_read] != (unsigned long) &sys_read) {
printk(KERN_ERR "sys_call_table failed sanity test!!\n");
return -EFAULT;
}
If you do not include this check, and your symbol address is incorrect,
the results could be disastrous.
> where is "sys_call_table" defined in your module, are you trying to
> set the kernel's system call table here ? For this you need to define
> your global pointer variable in a module and and assign this address
> to that pointer. Dont name the pinter as "sys_call_table", as the
> system call table of kernel is also named the same. You define it as a
> global in your module. Do define it as unsigned long pointer.
>
> unsigned long * mod_sys_call_table = (unsigned long *)0xc030a0f0;
>
> -Gaurav
>
> > command grep sys_call_table /boot/System.map-2.4.26 where 2.4.26 is system
> > release which can change and can be obtained by uname -r*/
> >
> > printk("<1> In init function\n ");
Do NOT hard code message level in a printk. Here you have hardcoded
KERN_ALERT, which means "Action must be taken immediately!!". You
probably intended to code KERN_INFO instead.
> > original_call= sys_call_table[__NR_unlink]; /* save the original address*/
> > sys_call_table[__NR_unlink]=our_sys_unlink; /* replace the address by our function*/
> > return 0;
> > }
> >
> > int cleanup_module()
> > {
> > sys_call_table[__NR_unlink]=original_call; /* replace orignal address again*/
> > return 0;
> > }
>
>
> On 6/2/05, Dipti Pawar <dipti.pawar@xxxxxxxxx> wrote:
> >
> >
> >
> > Hi
> >
> > I am trying to intercept unlink system call.
> >
> > I have attached a code here that I tried.
> >
> > But it's not working.
> >
> > Can anyone tell me the reason or bugs in this code and the information to
> > proceed ahead?
> >
> >
> >
> > Regards,
> >
> > Dipti.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > http://www.patni.com
> > World-Wide Partnerships. World-Class Solutions.
> > _____________________________________________________________________
> >
> > This e-mail message may contain proprietary, confidential or legally
> > privileged information for the sole use of the person or entity to whom this
> > message was originally addressed. Any review, e-transmission dissemination
> > or other use of or taking of any action in reliance upon this information by
> > persons or entities other than the intended recipient is prohibited. If you
> > have received this e-mail in error kindly delete this e-mail from your
> > records. If it appears that this mail has been forwarded to you without
> > proper authority, please notify us immediately at netadmin@xxxxxxxxx and
> > delete this mail.
> > _____________________________________________________________________
> >
>
> --
> Kernelnewbies: Help each other learn about the Linux kernel.
> Archive: http://mail.nl.linux.org/kernelnewbies/
> FAQ: http://kernelnewbies.org/faq/
>
>
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
FAQ: http://kernelnewbies.org/faq/
