On Tue, Sep 01, 2020 at 09:16:22AM +0200, César Augusto Marcelino dos Santos wrote: > Dear community, > > I have created a kernel module that adds probes to do_execve() and > do_exit() syscalls (code by the end of this email). It is running on a > custom kernel-based system, version 3.18.31. Wow, 3.18.y is from December of 2014, many years ago, and over 467,000 changes ago. You really need to ask the company that is forcing you to rely on that old kernel version for stuff like this, as you are paying them for that support, take advantage of it, do not rely on the community to try to attempt to help with such an obsolete system. That being said: > The goal of this module is to see if I can capture several information > from any process that is about to start, or that is about to leave > userspace. I have tested the following scenarios: > - app inits > - app finishes its execution gracefully > - app is killed > - app crashes Just use the LSM interface instead please, that is wht it is there for, you really really really do not want to attempt to hook system calls, unless you are a rootkit :) good luck! greg k-h _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
