On 2/25/07, Avishay Traeger <atraeger@xxxxxxxxxxxxx> wrote:
On Sat, 2007-02-24 at 20:33 +0000, Liran wrote: > Hey everyone, > > Hopefully, this is not off-topic for this mailing list. > > I want to develop a kernel module that will be used to account for the > input/output of files on the system > and was wondering about doing it by intercepting the open() / read() / write() > system calls with their size attributes > and using that as a counter. (Later on, I wish to attach to a specific pid or > account for all i/o for a specific user but that's later). > > I've been going over several Linux Kernel programming books among them TLDP's > Linux kernel programming where the > author mention that using the method of catching the original syscall table to > do some stuff and then returning > the original syscall again to the kernel is a bad habit, moreover, it's not > really supported in 2.6 > > So here comes my question - how do I go about doing that? Should I go with the > intercepting thing or are > there more elegant ways?
Yes. Use kprobes or something similar. The way to catch a syscall in the ancient days was making a hook to the syscall table entries, but this table is not exported anymore since 2.6 was released. Best Regards
Does it need to be in the kernel? A couple user space options are: - use ptrace, but that has some limitations (you can only trace child processes). - use LD_PRELOAD To do it from the kernel, you can create a module that: - on loading, replaces the existing system call pointers to functions that collect the desired data and calls the original functions. - on unloading, restores the original system call pointers. Hope that helps. Avishay
-- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
-- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ