On Wed, Mar 08, 2017 at 03:20:57PM +0300, Lev Olshvang wrote: > Hi Greg, > > Thank you for a prompt reply. My intention is to build some euristics for > Intrusion detection of embedded based on sequence of syscalls. > I am collecting syscall events and send then with netlink to my monitor. > Since platform may use SELinux or other LSM, I thought the hook of syscall is > the only point I can use to catch syscalls. > > Is it wrong direction ? Yes it is, please use the audit subsystem for something like that, it is exactly what it was designed and built for. You can do everything you want to from userspace. > I was googling and reading kernel git logs trying find out the why execve, > clone, fork use assembly glue code instead of calling sys_execve like others > syscalls. > Can you give me some point where to look? Nope, don't mess with that :) good luck! greg k-h _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
