Re: Kernel module that catches a syscall (i/o event)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2/25/07, Avishay Traeger <atraeger@xxxxxxxxxxxxx> wrote:
On Sat, 2007-02-24 at 20:33 +0000, Liran wrote:
> Hey everyone,
>
> Hopefully, this is not off-topic for this mailing list.
>
> I want to develop a kernel module that will be used to account for the
> input/output of files on the system
> and was wondering about doing it by intercepting the open() / read() /
write()
> system calls with their size attributes
> and using that as a counter. (Later on, I wish to attach to a specific pid
or
> account for all i/o for a specific user but that's later).
>
> I've been going over several Linux Kernel programming books among them
TLDP's
> Linux kernel programming where the
> author mention that using the method of catching the original syscall
table to
> do some stuff and then returning
> the original syscall again to the kernel is a bad habit, moreover, it's
not
> really supported in 2.6
>
> So here comes my question - how do I go about doing that? Should I go with
the
> intercepting thing or are
> there more elegant ways?

Yes. Use kprobes or something similar.
The way to catch a syscall in the ancient days was making a hook to
the syscall table entries, but this table is not exported anymore
since 2.6 was released.

Best Regards



Does it need to be in the kernel?  A couple user space options are:
- use ptrace, but that has some limitations (you can only trace child
processes).
- use LD_PRELOAD

To do it from the kernel, you can create a module that:
- on loading, replaces the existing system call pointers to functions
that collect the desired data and calls the original functions.
- on unloading, restores the original system call pointers.

Hope that helps.

Avishay



--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ



--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ


[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux