> > > > > Hi,
> > > > > I have an requirement of logging program's name with time stamp on
> >
> You need to intercept the exec (execv) system call and not exit/fork.
>
> -- Asim
>
Hi Asim, thanks for the reply. Could you explain a bit how hooking
execve() will help?
--
All processes except the swapper are created by the fork & exec (of
program code) mechanism.
sys_execve :
arch/i386/kernel/process.c:asmlinkage int sys_execve(struct pt_regs regs)
do_execve is called within sys_execve :
error = do_execve(filename, (char **) regs.ecx, (char **)regs.edx, ®s);
Defn of do_execve :
/usr/src/linux/fs/exec.c:int do_execve(char * filename, char ** argv,
char ** envp, struct pt_regs * regs)
So you actually need to :
1.Intercept the sys_execve system call.
2.Do your logging.
3.Call the do_execve system call.
4.Take care of the arguments when you do (3).
This can get painful(need hard reboots) if you err.After your logging,
call do_execve as :
error = do_execve(filename, (char **) regs.ecx, (char **)regs.edx, ®s);
Simply passing over the regs parameter wont work.
Thanks,
Asim
--
Aerodynamically the bumblebee shouldn't be able to fly, but the
bumblebee doesn't know that so it goes on flying anyway.
--
Never let your sense of morals prevent you from doing what's right.
-- Isaac Asimov
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
FAQ: http://kernelnewbies.org/faq/
