I'm actually formulating my thesis project. I am looking for a way to intercept system calls (those chosen by the users), where I can keep track of what syscall has been called and by who. A big picture of the _main_ idea of interception would be: Application called a syscall -> Intercept and delay call -> do something before the call -> return back to the syscall. By real-time I mean as soon as an application called a syscall (i.e. fopen), I could then receive a reply from the kernel informing me X called fopen, where X could be a pid or whatever. >> Have you looked at the syscall audit facility? I have not. Are you talking about auditctl? On 06/28/2017 06:19 PM, valdis.kletnieks@xxxxxx wrote: > On Wed, 28 Jun 2017 17:48:15 -0300, Ben Mezger said: >> Can the kernel keep track of all the system calls that were called by an >> application/module in real-time? >> I know I can statically use strace, or even gdb, but I am looking for a >> solution in real time when the application/module is already running and >> the user has no control over it. > > What actual problem are you trying to solve by having the information? > > How "real-time" does it have to be? > > Have you looked at the syscall audit facility? > > > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies@xxxxxxxxxxxxxxxxx > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > -- - seds ~> https://seds.nl _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
