RE: execve replacement.

From: Tigran Aivazian (tigran@veritas.com)
Date: Wed Oct 04 2000 - 10:21:06 EST


Hi Abel,

1. John Levon already told you that if the syscalls sleep and your module
is unloaded then they will return nowhere. Just put MOD_INC_USE_COUNT and
MOD_DEC_USE_COUNT in my_kill/my_exit/my_execve as he suggested.

2. your module won't work on mips architecture but you probably know this
(or don't care)

3. getname allocates a "name object" from names_cachep SLAB cache and
copies a filename from userspace into it. putname frees this object

4. just trapping when processes do exit(2) system call may not be enough
-- depends on what you want to achieve. For example, a process may be
"forced to exit" if he/she invokes a bdflush(2) system call, see
sys_bdflush() in fs/buffer.c. So you may need a hook in do_exit() (see
kernel/exit.c).

Regards,
Tigran

 On Wed, 4
Oct 2000, Abel Muñoz Alcaraz wrote:

> I need that somebody says to my module when a user application has started
> or finished, and what is its name and pid.
>
> I have rewritten my function and it seems that it works well.
>
> Remember; it is only an example:
> =========================================================================
>
> extern void *sys_call_table[];
>
> asmlinkage int (*system_execve)(struct pt_regs);
> asmlinkage int (*system_kill)(pid_t, int);
> asmlinkage void (*system_exit)(int);
>
> asmlinkage int my_kill(pid_t pid, int sign)
> {
> printk("\nPROCMON: Killing process %d.\n", pid);
>
> return system_kill(pid, sign);
> }
>
> asmlinkage void my_exit(int status)
> {
> printk("\nPROCMON: Exiting process %d.\n", current->pid);
>
> return system_exit(status);
> }
>
> asmlinkage int my_execve(struct pt_regs regs)
> {
> int error;
> char * filename;
>
> lock_kernel();
>
> filename = getname((char *) regs.ebx); //What does getname() do?
> error = PTR_ERR(filename);
> if (IS_ERR(filename))
> {
> unlock_kernel();
>
> return error;
> }
>
> error = do_execve(filename, (char **) regs.ecx, (char **) regs.edx, &regs);
> if (error == 0)
> {
> current->flags &= ~PF_DTRACE; // ?????
>
> printk("\nPROCMON: Executing process (%d) %s\n", current->pid, filename);
> }
>
> putname(filename); //What does putname() do?
>
> unlock_kernel();
>
> return error;
> }
>
> int init_module()
> {
> system_execve = sys_call_table[__NR_execve];
> system_kill = sys_call_table[__NR_kill];
> system_exit = sys_call_table[__NR_exit];
>
> sys_call_table[__NR_execve] = my_execve;
> sys_call_table[__NR_kill] = my_kill;
> sys_call_table[__NR_exit] = my_exit;
>
> return 0;
> }
>
> void cleanup_module()
> {
> if (sys_call_table[__NR_execve] != my_execve)
> {
> printk(KERN_INFO "\nThe system has been left in a unpredictable
> state.\nPlease, reboot it.\n");
> }
>
> sys_call_table[__NR_exit] = system_exit;
> sys_call_table[__NR_kill] = system_kill;
> sys_call_table[__NR_execve] = system_execve;
> }
>
> If you know a better way, please say me.
>
> -Abel.
>
> -----Original Message-----
> From: John Levon [mailto:moz@compsoc.man.ac.uk]
> Sent: miércoles, 04 de octubre de 2000 16:21
> To: Abel Muñoz Alcaraz
> Subject: RE: execve replacement.
>
>
> On Wed, 4 Oct 2000, [iso-8859-1] Abel Muñoz Alcaraz wrote:
>
> > I need to create a processes hook.
> > Do you know an other way?
> >
> > -Abel.
>
> what do you mean by a hook ? what exact info do you need and when ? than
>
> john
>
> --
> "The Internet is a shallow and unreliable electronic repository of dirty
> pictures, inaccurate rumors,
> bad spelling and worse grammar, inhabited largely by people with no
> demonstrable social skills."
> - Chronicle of Higher Education
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> Please read the FAQ at http://www.tux.org/lkml/
>

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sat Oct 07 2000 - 21:00:14 EST