Hi Greg,
Thank you for a prompt reply. My intention is to build some euristics for Intrusion detection of embedded based on sequence of syscalls.
I am collecting syscall events and send then with netlink to my monitor.
Since platform may use SELinux or other LSM, I thought the hook of syscall is the only point I can use to catch syscalls.
Is it wrong direction ?
I was googling and reading kernel git logs trying find out the why execve, clone, fork use assembly glue code instead of calling sys_execve like others syscalls.
Can you give me some point where to look?
Regards.
Lev.
07.03.2017, 22:23, "Greg KH" <greg@xxxxxxxxx>:
On Mon, Mar 06, 2017 at 10:18:26AM +0300, Lev Olshvang wrote:
Hello all,
In kernels 3.X up to 4.2 execve(|) system call was for x86_64 architecture the the system call was made through some
magic ( I can't say I understand it ) assembly stub in arch/x86/kernel/entry_64.S
so up to kernel 4.2 it was possble to patch this assembly to install the hook, ex. see
http://stackoverflow.com/questions/8372912/hooking-sys-execve-on-linux-3-x/9672512#9672512
But this hook still can't access in a proper way filename argument, althouth I tried to do it with in the same way as
fs/exec.c does : using kernel's getname() function (which I was need to find through kallsyms_lookup_name()
In kernels 4.2 and up, the arch/x86/kernel/entry_64.S is gone, and I still dont' have a clue what to do to get filename as a char string.
Why do you want to hook a syscall? that's a very complex, and broken,
and ill-advised thing to do. Please don't do that.
What problem are you trying to solve here that led you to think that
putting a syscall hook in is a good solution?
thanks,
greg k-h
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
