On Sun, 2007-02-25 at 10:29 +0200, Tzahi Fadida wrote: > On Sunday 25 February 2007 03:22, Avishay Traeger wrote: > > To do it from the kernel, you can create a module that: > > - on loading, replaces the existing system call pointers to functions > > that collect the desired data and calls the original functions. > > This is very interesting, can you outline, point out, how it is done? > How can you replace a system call pointer to function from inside a module > dynamically? finding something like ~file_operations~ structure of all active > file systems? is there something more generic? The kernel has a system call table, where it looks up which function to call for each system call number. For x86, you can find it in arch/i386/kernel/syscall_table.S. This table is really just an array - to replace something, you just need to set the proper index to point to a new function. However, this will require you to modify the kernel because this is not allowed. I think you are confusing system calls with file system operations in your example. When a user space program calls read(), this is a system call, and the kernel does whatever it needs to do to satisfy the program's request. There are many things that you need to do for every file system, and this is not in the file system (it's in the VFS). For the part that is specific to the file system, it will call the file system's read function. To trace it, we can look at the system call table, and find the line: ".long sys_read". This tells us that the system call's implementation starts in the sys_read() function (fs/read_write.c). This calls vfs_read(), which calls file->f_op->read(). This is a function pointer that the file system sets up for the specific things that the file system needs to do. Avishay -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
