Intercepting system calls

Intercepting system calls

[Gaurav Saxena]

Hello all,

I am writing an application for which I need to intercept some
filesystem system calls eg. unlink. I need unlink to call my code
before deleting abc so that I could probably prevent unlink . I would
like to implement this in a kernel module instead of modifying kernel
code itself. I would like to intercept system calls by replacing
system calls but I have not been able to find any method of doing that
in linux > 3.0. Please suggest some method of doing that.


--
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[richard -rw- weinberger]

On Thu, Dec 22, 2011 at 5:07 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> Hello all,
>
> I am writing an application for which I need to intercept some
> filesystem system calls eg. unlink. I need unlink to call my code
> before deleting abc so that I could probably prevent unlink . I would
> like to implement this in a kernel module instead of modifying kernel
> code itself. I would like to intercept system calls by replacing
> system calls but I have not been able to find any method of doing that
> in linux > 3.0. Please suggest some method of doing that.
>

Intercepting system calls is very bad, don't do it.

-- 
Thanks,
//richard

Re: Intercepting system calls

[Gaurav Saxena]

Hello Richard,
Thank you very much for your reply.

On Thu, Dec 22, 2011 at 10:12 PM, richard -rw- weinberger
<richard.weinberger@gmail.com> wrote:
> On Thu, Dec 22, 2011 at 5:07 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>> Hello all,
>>
>> I am writing an application for which I need to intercept some
>> filesystem system calls eg. unlink. I need unlink to call my code
>> before deleting abc so that I could probably prevent unlink . I would
>> like to implement this in a kernel module instead of modifying kernel
>> code itself. I would like to intercept system calls by replacing
>> system calls but I have not been able to find any method of doing that
>> in linux > 3.0. Please suggest some method of doing that.
>>
>
> Intercepting system calls is very bad, don't do it.
Oh. I will not do it then, could you suggest me something so that I
could prevent unlink on some file say using kernel support. I want to
save file on unlink how could I do that without kernel support, or how
could I do that using a kernel module.
>
> --
> Thanks,
> //richard



-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[richard -rw- weinberger]

On Thu, Dec 22, 2011 at 5:59 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> Hello Richard,
> Thank you very much for your reply.
>
> On Thu, Dec 22, 2011 at 10:12 PM, richard -rw- weinberger
> <richard.weinberger@gmail.com> wrote:
>> On Thu, Dec 22, 2011 at 5:07 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>>> Hello all,
>>>
>>> I am writing an application for which I need to intercept some
>>> filesystem system calls eg. unlink. I need unlink to call my code
>>> before deleting abc so that I could probably prevent unlink . I would
>>> like to implement this in a kernel module instead of modifying kernel
>>> code itself. I would like to intercept system calls by replacing
>>> system calls but I have not been able to find any method of doing that
>>> in linux > 3.0. Please suggest some method of doing that.
>>>
>>
>> Intercepting system calls is very bad, don't do it.
> Oh. I will not do it then, could you suggest me something so that I
> could prevent unlink on some file say using kernel support. I want to
> save file on unlink how could I do that without kernel support, or how
> could I do that using a kernel module.
>>

It depends on your application.
Samba has vfs_recycle.
You can also write a fuse-filesystem.
Or use ptrace().

Select your pain. ;)

-- 
Thanks,
//richard

Re: Intercepting system calls

[Gaurav Saxena]

> It depends on your application.
> Samba has vfs_recycle.
> You can also write a fuse-filesystem.
> Or use ptrace().
>
> Select your pain. ;)
>
I want to monitor whole / and its sub directories for unlink call, if
there is any call I would save the file, would it be possible with
FUSE? It would require remounting of file system ? I don't think
ptrace would be of help as applications are not under my control.
> --
> Thanks,
> //richard



-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[richard -rw- weinberger]

On Thu, Dec 22, 2011 at 6:16 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> I want to monitor whole / and its sub directories for unlink call, if
> there is any call I would save the file, would it be possible with
> FUSE? It would require remounting of file system ? I don't think
> ptrace would be of help as applications are not under my control.

This is a non-trivial problem.
Consider also using a stackable filesystem like dazuko
(http://dazuko.dnsalias.org)

-- 
Thanks,
//richard

Re: Intercepting system calls

[Gaurav Saxena]

On Thu, Dec 22, 2011 at 11:02 PM, richard -rw- weinberger
<richard.weinberger@gmail.com> wrote:
> On Thu, Dec 22, 2011 at 6:16 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>> I want to monitor whole / and its sub directories for unlink call, if
>> there is any call I would save the file, would it be possible with
>> FUSE? It would require remounting of file system ? I don't think
>> ptrace would be of help as applications are not under my control.
>
> This is a non-trivial problem.
> Consider also using a stackable filesystem like dazuko
> (http://dazuko.dnsalias.org)
>
> --
> Thanks,
> //richard

Oh Ok. I will surely see this, but as with others like redirfs, it
also doesn't have support for linux >3.0 :(.

-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[John Stoffel]

>>>>> "Gaurav" == Gaurav Saxena <grvsaxena419@gmail.com> writes:

>> Intercepting system calls is very bad, don't do it.

Gaurav> Oh. I will not do it then, could you suggest me something so
Gaurav> that I could prevent unlink on some file say using kernel
Gaurav> support. I want to save file on unlink how could I do that
Gaurav> without kernel support, or how could I do that using a kernel
Gaurav> module.

Write a FUSE module to mount the filesystem through, inside your FUSE
module you can intercept the unlink/truncate/write calls and decide
what you want to have happen.

John

Re: Intercepting system calls

[Wakko Warner]

Gaurav Saxena wrote:
> Oh. I will not do it then, could you suggest me something so that I
> could prevent unlink on some file say using kernel support. I want to
> save file on unlink how could I do that without kernel support, or how
> could I do that using a kernel module.

I wrote a library that can be loaded in userspace that does this.  It's not
very polished, but it works for me.  I use it for rsync when I want files
"deleted" but not from the filesystem.  It creates a .deleted directory in
the $PWD.

If you're interested, I can send it to you.  I have it working on i386 and
amd64.

-- 
 Microsoft has beaten Volkswagen's world record.  Volkswagen only created 22
 million bugs.

Re: Intercepting system calls

[Gaurav Saxena]

Hello John,

On Thu, Dec 22, 2011 at 11:22 PM, John Stoffel <john@stoffel.org> wrote:
>>>>>> "Gaurav" == Gaurav Saxena <grvsaxena419@gmail.com> writes:
>
>>> Intercepting system calls is very bad, don't do it.
>
> Gaurav> Oh. I will not do it then, could you suggest me something so
> Gaurav> that I could prevent unlink on some file say using kernel
> Gaurav> support. I want to save file on unlink how could I do that
> Gaurav> without kernel support, or how could I do that using a kernel
> Gaurav> module.
>
> Write a FUSE module to mount the filesystem through, inside your FUSE
> module you can intercept the unlink/truncate/write calls and decide
> what you want to have happen.
>
> John
I would like to write it differently for each type of filesystem ?
Because what operations to call after my function depends on this.
Also Can I mount "/" in this way ?


-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Gaurav Saxena]

Hello Wakko

On Fri, Dec 23, 2011 at 12:33 AM, Wakko Warner <wakko@animx.eu.org> wrote:
> Gaurav Saxena wrote:
>> Oh. I will not do it then, could you suggest me something so that I
>> could prevent unlink on some file say using kernel support. I want to
>> save file on unlink how could I do that without kernel support, or how
>> could I do that using a kernel module.
>
> I wrote a library that can be loaded in userspace that does this.  It's not
> very polished, but it works for me.  I use it for rsync when I want files
> "deleted" but not from the filesystem.  It creates a .deleted directory in
> the $PWD.
> If you're interested, I can send it to you.  I have it working on i386 and
> amd64.
Yes I am a lot interested I would customize it to suit my purposes.
Does it work on linux >3.0
>
> --
>  Microsoft has beaten Volkswagen's world record.  Volkswagen only created 22
>  million bugs.



-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[J. R. Okajima]

Hello Gaurav,

Gaurav Saxena:
> I am writing an application for which I need to intercept some
> filesystem system calls eg. unlink. I need unlink to call my code
	:::

For kernel space, CONFIG_KPROBES may help you.
See Documentation/kprobes.txt in detail.

For user space, $LD_PRELOAD may help you.
You will need to develop your shared object library which contains
your_unlink() and replaces the original unlink().
See ld.so(8) manual page.


J. R. Okajima

Re: Intercepting system calls

[Gaurav Saxena]

Hello  J. R. Okajima

On Fri, Dec 23, 2011 at 12:55 PM, J. R. Okajima <hooanon05@yahoo.co.jp> wrote:
>
> Hello Gaurav,
>
> Gaurav Saxena:
>> I am writing an application for which I need to intercept some
>> filesystem system calls eg. unlink. I need unlink to call my code
>        :::
>
> For kernel space, CONFIG_KPROBES may help you.
> See Documentation/kprobes.txt in detail.
Ok I have seen details of KPROBES, I think it will suit to my
requirements, I just wanted to know a few things,
Can I use probes to prevent unlink of certain files? Also is
CONFIG_KPROBES set to "y" on linux kernels available with distros like
ubuntu?
>
> For user space, $LD_PRELOAD may help you.
> You will need to develop your shared object library which contains
> your_unlink() and replaces the original unlink().
> See ld.so(8) manual page.
>
>
> J. R. Okajima



-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[richard -rw- weinberger]

On Fri, Dec 23, 2011 at 10:08 AM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> Ok I have seen details of KPROBES, I think it will suit to my
> requirements, I just wanted to know a few things,
> Can I use probes to prevent unlink of certain files? Also is
> CONFIG_KPROBES set to "y" on linux kernels available with distros like
> ubuntu?

Kprobes allow you to instrument the kernel.
AFAIK it enabled by most distros.

-- 
Thanks,
//richard

Re: Intercepting system calls

[Gaurav Saxena]

Hello Richard

On Fri, Dec 23, 2011 at 2:46 PM, richard -rw- weinberger
<richard.weinberger@gmail.com> wrote:
> On Fri, Dec 23, 2011 at 10:08 AM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>> Ok I have seen details of KPROBES, I think it will suit to my
>> requirements, I just wanted to know a few things,
>> Can I use probes to prevent unlink of certain files? Also is
>> CONFIG_KPROBES set to "y" on linux kernels available with distros like
>> ubuntu?
>
> Kprobes allow you to instrument the kernel.
> AFAIK it enabled by most distros.
Can I use probes to return immediately ie. without execution of
original system call. For example I put a entry probe on unlink and
then on the probe return value unlink code is executed or not. Is that
possible ?
Also can I call a userspace function from kernel code? Would that be insecure ?
>
> --
> Thanks,
> //richard



-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[richard -rw- weinberger]

On Fri, Dec 23, 2011 at 10:22 AM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> Hello Richard
>
> On Fri, Dec 23, 2011 at 2:46 PM, richard -rw- weinberger
> <richard.weinberger@gmail.com> wrote:
>> On Fri, Dec 23, 2011 at 10:08 AM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>>> Ok I have seen details of KPROBES, I think it will suit to my
>>> requirements, I just wanted to know a few things,
>>> Can I use probes to prevent unlink of certain files? Also is
>>> CONFIG_KPROBES set to "y" on linux kernels available with distros like
>>> ubuntu?
>>
>> Kprobes allow you to instrument the kernel.
>> AFAIK it enabled by most distros.
> Can I use probes to return immediately ie. without execution of
> original system call. For example I put a entry probe on unlink and
> then on the probe return value unlink code is executed or not. Is that
> possible ?
> Also can I call a userspace function from kernel code? Would that be insecure ?

Using Kprobes you can do nearly anything.
But I would be surprised if you find a acceptable and sane solution.

-- 
Thanks,
//richard

Re: Intercepting system calls

[Gaurav Saxena]

On Fri, Dec 23, 2011 at 2:56 PM, richard -rw- weinberger
<richard.weinberger@gmail.com> wrote:
> On Fri, Dec 23, 2011 at 10:22 AM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>> Hello Richard
>>
>> On Fri, Dec 23, 2011 at 2:46 PM, richard -rw- weinberger
>> <richard.weinberger@gmail.com> wrote:
>>> On Fri, Dec 23, 2011 at 10:08 AM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>>>> Ok I have seen details of KPROBES, I think it will suit to my
>>>> requirements, I just wanted to know a few things,
>>>> Can I use probes to prevent unlink of certain files? Also is
>>>> CONFIG_KPROBES set to "y" on linux kernels available with distros like
>>>> ubuntu?
>>>
>>> Kprobes allow you to instrument the kernel.
>>> AFAIK it enabled by most distros.
>> Can I use probes to return immediately ie. without execution of
>> original system call. For example I put a entry probe on unlink and
>> then on the probe return value unlink code is executed or not. Is that
>> possible ?
>> Also can I call a userspace function from kernel code? Would that be insecure ?
>
> Using Kprobes you can do nearly anything.
As I go through the documentation, it says execution of system call
does not depend upon the return value of probe, then how could I stop
the system call from being executed? I don't want to use wild jumps.
> But I would be surprised if you find a acceptable and sane solution.
Why is tinkering around system calls so insane? I think SELinux and
some other projects offer some such options but they have patches
which involves recompiling/reinstalling the kernel to use them,
Couldn't there be any sane method with current kernel which could make
this work. Is this done for security ?
>
> --
> Thanks,
> //richard



-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Jiri Kosina]

On Thu, 22 Dec 2011, Wakko Warner wrote:

> > Oh. I will not do it then, could you suggest me something so that I
> > could prevent unlink on some file say using kernel support. I want to
> > save file on unlink how could I do that without kernel support, or how
> > could I do that using a kernel module.
> 
> I wrote a library that can be loaded in userspace that does this.  It's not
> very polished, but it works for me.  I use it for rsync when I want files
> "deleted" but not from the filesystem.  It creates a .deleted directory in
> the $PWD.

I don't see a way how library could cover any arbitrary userspace process 
issuing unlink() (consider statically linked binaries, for starters).

-- 
Jiri Kosina
SUSE Labs

Re: Intercepting system calls

[Jiri Kosina]

On Thu, 22 Dec 2011, Gaurav Saxena wrote:

> I am writing an application for which I need to intercept some
> filesystem system calls eg. unlink. I need unlink to call my code
> before deleting abc so that I could probably prevent unlink . I would
> like to implement this in a kernel module instead of modifying kernel
> code itself. I would like to intercept system calls by replacing
> system calls but I have not been able to find any method of doing that
> in linux > 3.0. Please suggest some method of doing that.

Write a kernel module that instruments sys_unlink() via krpobes. See 
Documentation/kprobes.txt for details.

-- 
Jiri Kosina
SUSE Labs

Re: Intercepting system calls

[Gaurav Saxena]

Hello Jiri

On Fri, Dec 23, 2011 at 3:17 PM, Jiri Kosina <jkosina@suse.cz> wrote:
> On Thu, 22 Dec 2011, Gaurav Saxena wrote:
>
>> I am writing an application for which I need to intercept some
>> filesystem system calls eg. unlink. I need unlink to call my code
>> before deleting abc so that I could probably prevent unlink . I would
>> like to implement this in a kernel module instead of modifying kernel
>> code itself. I would like to intercept system calls by replacing
>> system calls but I have not been able to find any method of doing that
>> in linux > 3.0. Please suggest some method of doing that.
>
> Write a kernel module that instruments sys_unlink() via krpobes. See
> Documentation/kprobes.txt for details.
Ok. I am looking at its details, will try that. But how could a probe
prevent execution of a system call?
>
> --
> Jiri Kosina
> SUSE Labs
>



-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Gaurav Saxena]

I found that Ubuntu does not have a kprobe enabled kernel. :( I don't
think I could use kprobes then.

On Fri, Dec 23, 2011 at 3:20 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> Hello Jiri
>
> On Fri, Dec 23, 2011 at 3:17 PM, Jiri Kosina <jkosina@suse.cz> wrote:
>> On Thu, 22 Dec 2011, Gaurav Saxena wrote:
>>
>>> I am writing an application for which I need to intercept some
>>> filesystem system calls eg. unlink. I need unlink to call my code
>>> before deleting abc so that I could probably prevent unlink . I would
>>> like to implement this in a kernel module instead of modifying kernel
>>> code itself. I would like to intercept system calls by replacing
>>> system calls but I have not been able to find any method of doing that
>>> in linux > 3.0. Please suggest some method of doing that.
>>
>> Write a kernel module that instruments sys_unlink() via krpobes. See
>> Documentation/kprobes.txt for details.
> Ok. I am looking at its details, will try that. But how could a probe
> prevent execution of a system call?
>>
>> --
>> Jiri Kosina
>> SUSE Labs
>>
>
>
>
> --
> Thanks and Regards ,
> Gaurav



-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Maxin B John]

Hi,

On Fri, Dec 23, 2011 at 1:59 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> I found that Ubuntu does not have a kprobe enabled kernel. :( I don't
> think I could use kprobes then.

Probably you can find a solution using Systemtap.

Have a look at this example:
http://sourceware.org/systemtap/examples/general/badname.stp

It just needs some modifications to meet your needs.

HTH,
Maxin B. John

> On Fri, Dec 23, 2011 at 3:20 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>> Hello Jiri
>>
>> On Fri, Dec 23, 2011 at 3:17 PM, Jiri Kosina <jkosina@suse.cz> wrote:
>>> On Thu, 22 Dec 2011, Gaurav Saxena wrote:
>>>
>>>> I am writing an application for which I need to intercept some
>>>> filesystem system calls eg. unlink. I need unlink to call my code
>>>> before deleting abc so that I could probably prevent unlink . I would
>>>> like to implement this in a kernel module instead of modifying kernel
>>>> code itself. I would like to intercept system calls by replacing
>>>> system calls but I have not been able to find any method of doing that
>>>> in linux > 3.0. Please suggest some method of doing that.
>>>
>>> Write a kernel module that instruments sys_unlink() via krpobes. See
>>> Documentation/kprobes.txt for details.
>> Ok. I am looking at its details, will try that. But how could a probe
>> prevent execution of a system call?
>>>
>>> --
>>> Jiri Kosina
>>> SUSE Labs
>>>
>>
>>
>>
>> --
>> Thanks and Regards ,
>> Gaurav
>
>
>
> --
> Thanks and Regards ,
> Gaurav
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: Intercepting system calls

[Gaurav Saxena]

Hello Maxin,
Thanks a lot for your reply.

On Fri, Dec 23, 2011 at 5:59 PM, Maxin B John <maxin.john@gmail.com> wrote:
> Hi,
>
> On Fri, Dec 23, 2011 at 1:59 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>> I found that Ubuntu does not have a kprobe enabled kernel. :( I don't
>> think I could use kprobes then.
>
> Probably you can find a solution using Systemtap.
>
> Have a look at this example:
> http://sourceware.org/systemtap/examples/general/badname.stp
>
> It just needs some modifications to meet your needs.
Thanks for your help , but I saw systemtap page and it says
prerequisites for using system tap are linux kernel with kprobes
enabled.
I think I would need to find another way of tapping it. :(
>
> HTH,
> Maxin B. John
>
>> On Fri, Dec 23, 2011 at 3:20 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>>> Hello Jiri
>>>
>>> On Fri, Dec 23, 2011 at 3:17 PM, Jiri Kosina <jkosina@suse.cz> wrote:
>>>> On Thu, 22 Dec 2011, Gaurav Saxena wrote:
>>>>
>>>>> I am writing an application for which I need to intercept some
>>>>> filesystem system calls eg. unlink. I need unlink to call my code
>>>>> before deleting abc so that I could probably prevent unlink . I would
>>>>> like to implement this in a kernel module instead of modifying kernel
>>>>> code itself. I would like to intercept system calls by replacing
>>>>> system calls but I have not been able to find any method of doing that
>>>>> in linux > 3.0. Please suggest some method of doing that.
>>>>
>>>> Write a kernel module that instruments sys_unlink() via krpobes. See
>>>> Documentation/kprobes.txt for details.
>>> Ok. I am looking at its details, will try that. But how could a probe
>>> prevent execution of a system call?
>>>>
>>>> --
>>>> Jiri Kosina
>>>> SUSE Labs
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks and Regards ,
>>> Gaurav
>>
>>
>>
>> --
>> Thanks and Regards ,
>> Gaurav
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at  http://www.tux.org/lkml/



-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[richard -rw- weinberger]

On Fri, Dec 23, 2011 at 1:50 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> Thanks for your help , but I saw systemtap page and it says
> prerequisites for using system tap are linux kernel with kprobes
> enabled.
> I think I would need to find another way of tapping it. :(

Maybe it's time to rethink your problem.
What do you *really* need?

-- 
Thanks,
//richard

Re: Intercepting system calls

[John Stoffel]

>>>>> "Gaurav" == Gaurav Saxena <grvsaxena419@gmail.com> writes:

Gaurav> Hello John,
Gaurav> On Thu, Dec 22, 2011 at 11:22 PM, John Stoffel <john@stoffel.org> wrote:
>>>>>>> "Gaurav" == Gaurav Saxena <grvsaxena419@gmail.com> writes:
>> 
>>>> Intercepting system calls is very bad, don't do it.
>> 
Gaurav> Oh. I will not do it then, could you suggest me something so
Gaurav> that I could prevent unlink on some file say using kernel
Gaurav> support. I want to save file on unlink how could I do that
Gaurav> without kernel support, or how could I do that using a kernel
Gaurav> module.
>> 
>> Write a FUSE module to mount the filesystem through, inside your FUSE
>> module you can intercept the unlink/truncate/write calls and decide
>> what you want to have happen.

Gaurav> I would like to write it differently for each type of filesystem ?
Gaurav> Because what operations to call after my function depends on this.
Gaurav> Also Can I mount "/" in this way ?

Sounds like you really want to use inotify() then, but intercepting
calls to write/truncate/unlink isn't going to be easy to handle across
a large spectrum of filesystems without a bunch of hacking.  

Maybe if you can explain your requirements more clearly, with an
example of what you're trying to accomplish, then people could help
you more.

Also, it might be more appropriate to talk to the 'fs-devel' mailing
list.  I think it's on kernel.org, but not sure.

John

Re: Intercepting system calls

[Alan Cox]

> Write a FUSE module to mount the filesystem through, inside your FUSE
> module you can intercept the unlink/truncate/write calls and decide
> what you want to have happen.

Using fanotify and/or a custom security module (or selinux rules) might
well also be a cleaner way to do it, depending what is actually intended.

Trying to do stuff like archive 'old versions' isn't just about unlink
however because many programs update the inplace file rather than
unlink/replace.

Re: Intercepting system calls

[Wakko Warner]

Jiri Kosina wrote:
> On Thu, 22 Dec 2011, Wakko Warner wrote:
> 
> > > Oh. I will not do it then, could you suggest me something so that I
> > > could prevent unlink on some file say using kernel support. I want to
> > > save file on unlink how could I do that without kernel support, or how
> > > could I do that using a kernel module.
> > 
> > I wrote a library that can be loaded in userspace that does this.  It's not
> > very polished, but it works for me.  I use it for rsync when I want files
> > "deleted" but not from the filesystem.  It creates a .deleted directory in
> > the $PWD.
> 
> I don't see a way how library could cover any arbitrary userspace process 
> issuing unlink() (consider statically linked binaries, for starters).

It cannot.  I already understand that static binaries cannot be trapped like
this.

-- 
 Microsoft has beaten Volkswagen's world record.  Volkswagen only created 22
 million bugs.

Re: Intercepting system calls

[Gaurav Saxena]

Hello all , thanks for your reply.

On Fri, Dec 23, 2011 at 8:08 PM, John Stoffel <john@stoffel.org> wrote:
>>>>>> "Gaurav" == Gaurav Saxena <grvsaxena419@gmail.com> writes:
>
> Gaurav> Hello John,
> Gaurav> On Thu, Dec 22, 2011 at 11:22 PM, John Stoffel <john@stoffel.org> wrote:
>>>>>>>> "Gaurav" == Gaurav Saxena <grvsaxena419@gmail.com> writes:
>>>
>>>>> Intercepting system calls is very bad, don't do it.
>>>
> Gaurav> Oh. I will not do it then, could you suggest me something so
> Gaurav> that I could prevent unlink on some file say using kernel
> Gaurav> support. I want to save file on unlink how could I do that
> Gaurav> without kernel support, or how could I do that using a kernel
> Gaurav> module.
>>>
>>> Write a FUSE module to mount the filesystem through, inside your FUSE
>>> module you can intercept the unlink/truncate/write calls and decide
>>> what you want to have happen.
>
> Gaurav> I would like to write it differently for each type of filesystem ?
> Gaurav> Because what operations to call after my function depends on this.
> Gaurav> Also Can I mount "/" in this way ?
>
> Sounds like you really want to use inotify() then, but intercepting
> calls to write/truncate/unlink isn't going to be easy to handle across
> a large spectrum of filesystems without a bunch of hacking.
>
> Maybe if you can explain your requirements more clearly, with an
> example of what you're trying to accomplish, then people could help
> you more.
>
> Also, it might be more appropriate to talk to the 'fs-devel' mailing
> list.  I think it's on kernel.org, but not sure.
>
> John
>

I am trying to write an application which would create a backup for
the system so that it could be restored as it is. For example I create
a backup using my application. I just do nothing at time of backup so
it would be fast. Now whenever I see any deletion I would save that
file so that I could restore it. Also I would like to see for
modification/rename. I cannot do this using inotify as I would be
notified after actual deletion/write. I don't want to use SELinux
because I want to implement this on existing installed system. I was
earlier thinking of replacing system calls for open/unlink with my
custom calls which will call my functions before actual work and then
I would decide what to do I would also want to reject unlink request
for some of the files. But as I now know that its not working in
linux>3.0 . I had also seen dazuko which is not supporting linux>3.0
yet. Also there used to be a redirfs which used to work earlier but
the latest kernel is not supported yet. So I asked this question so
that I could get some solution/method of doing this.
I will try finding fs-devel list.
Thanks to you all for your help.


-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Gaurav Saxena]

Hello Alan

On Fri, Dec 23, 2011 at 8:20 PM, Alan Cox <alan@lxorguk.ukuu.org.uk> wrote:
>> Write a FUSE module to mount the filesystem through, inside your FUSE
>> module you can intercept the unlink/truncate/write calls and decide
>> what you want to have happen.
>
> Using fanotify and/or a custom security module (or selinux rules) might
> well also be a cleaner way to do it, depending what is actually intended.
>
> Trying to do stuff like archive 'old versions' isn't just about unlink
> however because many programs update the inplace file rather than
> unlink/replace.
I will see what SELinux offers but as far as I know I would need a
kernel recompile/ reinstall for that which most of the users would
avoid. I would still try doing these if I don't find any other way,
but still kprobes seemed a better way but ubuntu kernel does not
enable them.


-- 
Thanks and Regards ,
Gaurav

Intercepting system calls

[Gaurav Saxena]

Hello all,

I am writing an application which would create a backup for the system
so that it could be restored as it is. For example I create a backup
using my application. I just do nothing at time of backup so it would
be fast. Now whenever I see any deletion I would save that file so
that I could restore it. Also I would like to see for
modification/rename. I cannot do this using inotify as I would be
notified after actual deletion/write. I don't want to use SELinux
because I want to implement this on existing installed system. I was
earlier thinking of replacing system calls for open/unlink with my
custom calls which will call my functions before actual work and then
I would decide what to do I would also want to reject unlink request
for some of the files. But as I now know that its not working in
linux>3.0 . I had also seen dazuko which is not supporting linux>3.0
yet. Also there used to be a redirfs which used to work earlier but
the latest kernel is not supported yet. I think a method could be to
replace unlink in syscall table with my unlink function but I don't
find any good method of doing that, as syscall table is no longer
exported. I would like to implement this in a kernel module instead of
modifying kernel code itself. Please suggest some method of doing
that.
Thanks to you all for your help.

--
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Rajat Sharma]

Hi Gaurav,

I would suggest to take a wrapfs source (a null stackable file-system)
and customize it for your need. Well Erez (wrapfs author) puts his
continuous efforts in stabilizing wrapfs and porting to new kernels
and he is approachable too. In-fact he has acknowledged on of my patch
and merged it into wrapfs tree.

Agreed that you can do stuffs like patching system call table but I
(and most of us here) would categorize that as pure hack, as there
exist no framework provided by kernel to do that. Also any approach
you take to patch system call table won't be stable.

Thanks,
Rajat

On Sat, Dec 24, 2011 at 2:39 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> Hello all,
>
> I am writing an application which would create a backup for the system
> so that it could be restored as it is. For example I create a backup
> using my application. I just do nothing at time of backup so it would
> be fast. Now whenever I see any deletion I would save that file so
> that I could restore it. Also I would like to see for
> modification/rename. I cannot do this using inotify as I would be
> notified after actual deletion/write. I don't want to use SELinux
> because I want to implement this on existing installed system. I was
> earlier thinking of replacing system calls for open/unlink with my
> custom calls which will call my functions before actual work and then
> I would decide what to do I would also want to reject unlink request
> for some of the files. But as I now know that its not working in
> linux>3.0 . I had also seen dazuko which is not supporting linux>3.0
> yet. Also there used to be a redirfs which used to work earlier but
> the latest kernel is not supported yet. I think a method could be to
> replace unlink in syscall table with my unlink function but I don't
> find any good method of doing that, as syscall table is no longer
> exported. I would like to implement this in a kernel module instead of
> modifying kernel code itself. Please suggest some method of doing
> that.
> Thanks to you all for your help.
>
> --
> Thanks and Regards ,
> Gaurav
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Intercepting system calls

[Gaurav Saxena]

Hello Rajat Thanks for your reply.

On Mon, Dec 26, 2011 at 11:23 AM, Rajat Sharma <fs.rajat@gmail.com> wrote:
> Hi Gaurav,
>
> I would suggest to take a wrapfs source (a null stackable file-system)
> and customize it for your need. Well Erez (wrapfs author) puts his
> continuous efforts in stabilizing wrapfs and porting to new kernels
> and he is approachable too. In-fact he has acknowledged on of my patch
> and merged it into wrapfs tree.
Is there a way to mount "/" on such file system ? Like I want to
monitor / for changes like unlink or modified write. Would I be able
to see such changes using wrapfs. As by default on the systems "/"
would be mounted as  ext4 filesystem.
>
> Agreed that you can do stuffs like patching system call table but I
> (and most of us here) would categorize that as pure hack, as there
> exist no framework provided by kernel to do that. Also any approach
> you take to patch system call table won't be stable.
Yes I agree with you I want to do this using a method which is not a
hack, so that the support remains with all the versions of kernel
rather than a trick that works in a limited way.
>
> Thanks,
> Rajat
>
> On Sat, Dec 24, 2011 at 2:39 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>> Hello all,
>>
>> I am writing an application which would create a backup for the system
>> so that it could be restored as it is. For example I create a backup
>> using my application. I just do nothing at time of backup so it would
>> be fast. Now whenever I see any deletion I would save that file so
>> that I could restore it. Also I would like to see for
>> modification/rename. I cannot do this using inotify as I would be
>> notified after actual deletion/write. I don't want to use SELinux
>> because I want to implement this on existing installed system. I was
>> earlier thinking of replacing system calls for open/unlink with my
>> custom calls which will call my functions before actual work and then
>> I would decide what to do I would also want to reject unlink request
>> for some of the files. But as I now know that its not working in
>> linux>3.0 . I had also seen dazuko which is not supporting linux>3.0
>> yet. Also there used to be a redirfs which used to work earlier but
>> the latest kernel is not supported yet. I think a method could be to
>> replace unlink in syscall table with my unlink function but I don't
>> find any good method of doing that, as syscall table is no longer
>> exported. I would like to implement this in a kernel module instead of
>> modifying kernel code itself. Please suggest some method of doing
>> that.
>> Thanks to you all for your help.
>>
>> --
>> Thanks and Regards ,
>> Gaurav
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Thanks and Regards ,
Gaurav
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Intercepting system calls

[Wojciech Zygmunt Porczyk]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Dec 23, 2011 at 10:33:45PM +0530, Gaurav Saxena wrote:
> I am trying to write an application which would create a backup for
> the system so that it could be restored as it is. For example I create
> a backup using my application. I just do nothing at time of backup so
> it would be fast. Now whenever I see any deletion I would save that
> file so that I could restore it.

You almost certainly wan't to research LVM(-like) snapshots. They are
operating in block layer, so you can restore fs "as it was", with COW
feature they do "nothing" at creation and just save overwritten data
somewhere else.

See: lvcreate(8), xfs_freeze(8). Maybe btrfs(8) ("btrfs subvolume
snapshot") but btrfs is not really production-ready, so get lvm2+xfs.

- -- 
regards
WZJP
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)

iEYEARECAAYFAk77Ef8ACgkQDgvLOJe6jMmQuACfassIV+vXCTmvMCTUqa81wgFf
lBcAoLwYdPf59FEJ7sl/lzyHLLo4pG2r
=Zt0G
-----END PGP SIGNATURE-----

Re: Intercepting system calls

[Rajat Sharma]

wrapfs needs the underlying filesystem to be already mounted and then
it attaches itself on top of this mount point. Thats the whole idea of
stacking one to one VFS objects from wrapfs to underlying FS objects.
So it assumes that / to be already mounted. And you would want to
attach to a route volume as soon as possible, so entering wrapfs mount
entry in /etc/fstab just after / entry should be good enough.

Thanks,
Rajat

On Wed, Dec 28, 2011 at 11:29 AM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> Hello Rajat Thanks for your reply.
>
> On Mon, Dec 26, 2011 at 11:23 AM, Rajat Sharma <fs.rajat@gmail.com> wrote:
>> Hi Gaurav,
>>
>> I would suggest to take a wrapfs source (a null stackable file-system)
>> and customize it for your need. Well Erez (wrapfs author) puts his
>> continuous efforts in stabilizing wrapfs and porting to new kernels
>> and he is approachable too. In-fact he has acknowledged on of my patch
>> and merged it into wrapfs tree.
> Is there a way to mount "/" on such file system ? Like I want to
> monitor / for changes like unlink or modified write. Would I be able
> to see such changes using wrapfs. As by default on the systems "/"
> would be mounted as  ext4 filesystem.
>>
>> Agreed that you can do stuffs like patching system call table but I
>> (and most of us here) would categorize that as pure hack, as there
>> exist no framework provided by kernel to do that. Also any approach
>> you take to patch system call table won't be stable.
> Yes I agree with you I want to do this using a method which is not a
> hack, so that the support remains with all the versions of kernel
> rather than a trick that works in a limited way.
>>
>> Thanks,
>> Rajat
>>
>> On Sat, Dec 24, 2011 at 2:39 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
>>> Hello all,
>>>
>>> I am writing an application which would create a backup for the system
>>> so that it could be restored as it is. For example I create a backup
>>> using my application. I just do nothing at time of backup so it would
>>> be fast. Now whenever I see any deletion I would save that file so
>>> that I could restore it. Also I would like to see for
>>> modification/rename. I cannot do this using inotify as I would be
>>> notified after actual deletion/write. I don't want to use SELinux
>>> because I want to implement this on existing installed system. I was
>>> earlier thinking of replacing system calls for open/unlink with my
>>> custom calls which will call my functions before actual work and then
>>> I would decide what to do I would also want to reject unlink request
>>> for some of the files. But as I now know that its not working in
>>> linux>3.0 . I had also seen dazuko which is not supporting linux>3.0
>>> yet. Also there used to be a redirfs which used to work earlier but
>>> the latest kernel is not supported yet. I think a method could be to
>>> replace unlink in syscall table with my unlink function but I don't
>>> find any good method of doing that, as syscall table is no longer
>>> exported. I would like to implement this in a kernel module instead of
>>> modifying kernel code itself. Please suggest some method of doing
>>> that.
>>> Thanks to you all for your help.
>>>
>>> --
>>> Thanks and Regards ,
>>> Gaurav
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
>
> --
> Thanks and Regards ,
> Gaurav
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Intercepting system calls

[Gaurav Saxena]

Hello Wojciech, Thanks for your reply.

On 12/28/11, Wojciech Zygmunt Porczyk <wojciech@porczyk.eu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, Dec 23, 2011 at 10:33:45PM +0530, Gaurav Saxena wrote:
>> I am trying to write an application which would create a backup for
>> the system so that it could be restored as it is. For example I create
>> a backup using my application. I just do nothing at time of backup so
>> it would be fast. Now whenever I see any deletion I would save that
>> file so that I could restore it.
>
> You almost certainly wan't to research LVM(-like) snapshots. They are
> operating in block layer, so you can restore fs "as it was", with COW
> feature they do "nothing" at creation and just save overwritten data
> somewhere else.
Yes I understand what I want to implement is done in LVM snapshots.
But I want to implement this functionality using a different approach.
As LVM are filesystem dependent and cannot work without repartitioning
of the system. Also they make system slow after many snapshots are
created.
>
> See: lvcreate(8), xfs_freeze(8). Maybe btrfs(8) ("btrfs subvolume
> snapshot") but btrfs is not really production-ready, so get lvm2+xfs.
>
> - --
> regards
> WZJP
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.18 (GNU/Linux)
>
> iEYEARECAAYFAk77Ef8ACgkQDgvLOJe6jMmQuACfassIV+vXCTmvMCTUqa81wgFf
> lBcAoLwYdPf59FEJ7sl/lzyHLLo4pG2r
> =Zt0G
> -----END PGP SIGNATURE-----
>


-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Gaurav Saxena]

Hello Rajat, Thanks for your reply.

On 12/28/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
> wrapfs needs the underlying filesystem to be already mounted and then
> it attaches itself on top of this mount point.
Ok That means it will replace the specific file system operations with
its own operations ? And then call the specific operations from
itself? Doesn't it then requires a different operation for each file
system ?
>Thats the whole idea of
> stacking one to one VFS objects from wrapfs to underlying FS objects.
> So it assumes that / to be already mounted. And you would want to
> attach to a route volume as soon as possible, so entering wrapfs mount
> entry in /etc/fstab just after / entry should be good enough.
Do I need volumes for using wrapfs ? Or simple partitioning would
suffice ? It sounds quite good I would look at this.
>
> Thanks,
> Rajat
>
> On Wed, Dec 28, 2011 at 11:29 AM, Gaurav Saxena <grvsaxena419@gmail.com>
> wrote:
>> Hello Rajat Thanks for your reply.
>>
>> On Mon, Dec 26, 2011 at 11:23 AM, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>> Hi Gaurav,
>>>
>>> I would suggest to take a wrapfs source (a null stackable file-system)
>>> and customize it for your need. Well Erez (wrapfs author) puts his
>>> continuous efforts in stabilizing wrapfs and porting to new kernels
>>> and he is approachable too. In-fact he has acknowledged on of my patch
>>> and merged it into wrapfs tree.
>> Is there a way to mount "/" on such file system ? Like I want to
>> monitor / for changes like unlink or modified write. Would I be able
>> to see such changes using wrapfs. As by default on the systems "/"
>> would be mounted as  ext4 filesystem.
>>>
>>> Agreed that you can do stuffs like patching system call table but I
>>> (and most of us here) would categorize that as pure hack, as there
>>> exist no framework provided by kernel to do that. Also any approach
>>> you take to patch system call table won't be stable.
>> Yes I agree with you I want to do this using a method which is not a
>> hack, so that the support remains with all the versions of kernel
>> rather than a trick that works in a limited way.
>>>
>>> Thanks,
>>> Rajat
>>>
>>> On Sat, Dec 24, 2011 at 2:39 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>>> wrote:
>>>> Hello all,
>>>>
>>>> I am writing an application which would create a backup for the system
>>>> so that it could be restored as it is. For example I create a backup
>>>> using my application. I just do nothing at time of backup so it would
>>>> be fast. Now whenever I see any deletion I would save that file so
>>>> that I could restore it. Also I would like to see for
>>>> modification/rename. I cannot do this using inotify as I would be
>>>> notified after actual deletion/write. I don't want to use SELinux
>>>> because I want to implement this on existing installed system. I was
>>>> earlier thinking of replacing system calls for open/unlink with my
>>>> custom calls which will call my functions before actual work and then
>>>> I would decide what to do I would also want to reject unlink request
>>>> for some of the files. But as I now know that its not working in
>>>> linux>3.0 . I had also seen dazuko which is not supporting linux>3.0
>>>> yet. Also there used to be a redirfs which used to work earlier but
>>>> the latest kernel is not supported yet. I think a method could be to
>>>> replace unlink in syscall table with my unlink function but I don't
>>>> find any good method of doing that, as syscall table is no longer
>>>> exported. I would like to implement this in a kernel module instead of
>>>> modifying kernel code itself. Please suggest some method of doing
>>>> that.
>>>> Thanks to you all for your help.
>>>>
>>>> --
>>>> Thanks and Regards ,
>>>> Gaurav
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel"
>>>> in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>
>>
>> --
>> Thanks and Regards ,
>> Gaurav
>


-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Rajat Sharma]

I would suggest that you go through the stackable FS documentation
maintained with wrapfs website:

http://wrapfs.filesystems.org/docs/linux-stacking/index.html

there is no replacement of fops, that again I would categorize as pure
"HACK". Here you build a stack of FS on top of existing one. so stack
fs appears as regular FS to VFS layer and as VFS to lower FS, it just
fits in between VFS and lower FS. To do it tranparent to applications
you need to mount wrapfs on the same mount point as lower fs so that
you hide direct exposure to lower FS and application can still assume
same file paths as lower FS.

Thanks,
Rajat

On Thu, Dec 29, 2011 at 12:12 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> Hello Rajat, Thanks for your reply.
>
> On 12/28/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>> wrapfs needs the underlying filesystem to be already mounted and then
>> it attaches itself on top of this mount point.
> Ok That means it will replace the specific file system operations with
> its own operations ? And then call the specific operations from
> itself? Doesn't it then requires a different operation for each file
> system ?
>>Thats the whole idea of
>> stacking one to one VFS objects from wrapfs to underlying FS objects.
>> So it assumes that / to be already mounted. And you would want to
>> attach to a route volume as soon as possible, so entering wrapfs mount
>> entry in /etc/fstab just after / entry should be good enough.
> Do I need volumes for using wrapfs ? Or simple partitioning would
> suffice ? It sounds quite good I would look at this.
>>
>> Thanks,
>> Rajat
>>
>> On Wed, Dec 28, 2011 at 11:29 AM, Gaurav Saxena <grvsaxena419@gmail.com>
>> wrote:
>>> Hello Rajat Thanks for your reply.
>>>
>>> On Mon, Dec 26, 2011 at 11:23 AM, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>>> Hi Gaurav,
>>>>
>>>> I would suggest to take a wrapfs source (a null stackable file-system)
>>>> and customize it for your need. Well Erez (wrapfs author) puts his
>>>> continuous efforts in stabilizing wrapfs and porting to new kernels
>>>> and he is approachable too. In-fact he has acknowledged on of my patch
>>>> and merged it into wrapfs tree.
>>> Is there a way to mount "/" on such file system ? Like I want to
>>> monitor / for changes like unlink or modified write. Would I be able
>>> to see such changes using wrapfs. As by default on the systems "/"
>>> would be mounted as  ext4 filesystem.
>>>>
>>>> Agreed that you can do stuffs like patching system call table but I
>>>> (and most of us here) would categorize that as pure hack, as there
>>>> exist no framework provided by kernel to do that. Also any approach
>>>> you take to patch system call table won't be stable.
>>> Yes I agree with you I want to do this using a method which is not a
>>> hack, so that the support remains with all the versions of kernel
>>> rather than a trick that works in a limited way.
>>>>
>>>> Thanks,
>>>> Rajat
>>>>
>>>> On Sat, Dec 24, 2011 at 2:39 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>>>> wrote:
>>>>> Hello all,
>>>>>
>>>>> I am writing an application which would create a backup for the system
>>>>> so that it could be restored as it is. For example I create a backup
>>>>> using my application. I just do nothing at time of backup so it would
>>>>> be fast. Now whenever I see any deletion I would save that file so
>>>>> that I could restore it. Also I would like to see for
>>>>> modification/rename. I cannot do this using inotify as I would be
>>>>> notified after actual deletion/write. I don't want to use SELinux
>>>>> because I want to implement this on existing installed system. I was
>>>>> earlier thinking of replacing system calls for open/unlink with my
>>>>> custom calls which will call my functions before actual work and then
>>>>> I would decide what to do I would also want to reject unlink request
>>>>> for some of the files. But as I now know that its not working in
>>>>> linux>3.0 . I had also seen dazuko which is not supporting linux>3.0
>>>>> yet. Also there used to be a redirfs which used to work earlier but
>>>>> the latest kernel is not supported yet. I think a method could be to
>>>>> replace unlink in syscall table with my unlink function but I don't
>>>>> find any good method of doing that, as syscall table is no longer
>>>>> exported. I would like to implement this in a kernel module instead of
>>>>> modifying kernel code itself. Please suggest some method of doing
>>>>> that.
>>>>> Thanks to you all for your help.
>>>>>
>>>>> --
>>>>> Thanks and Regards ,
>>>>> Gaurav
>>>>> --
>>>>> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel"
>>>>> in
>>>>> the body of a message to majordomo@vger.kernel.org
>>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>>
>>>
>>> --
>>> Thanks and Regards ,
>>> Gaurav
>>
>
>
> --
> Thanks and Regards ,
> Gaurav
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Intercepting system calls

[Gaurav Saxena]

On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
> I would suggest that you go through the stackable FS documentation
> maintained with wrapfs website:
>
> http://wrapfs.filesystems.org/docs/linux-stacking/index.html
>
> there is no replacement of fops, that again I would categorize as pure
> "HACK". Here you build a stack of FS on top of existing one. so stack
> fs appears as regular FS to VFS layer and as VFS to lower FS, it just
> fits in between VFS and lower FS. To do it tranparent to applications
> you need to mount wrapfs on the same mount point as lower fs so that
> you hide direct exposure to lower FS and application can still assume
> same file paths as lower FS.
I am going through their documentation. I see this means I could
intercept in between for filesystems on which I mount this file system
and thus could do what I want to do. I can skip entire system calls I
suppose. Also I am thinking of KProbes is it possible to skip system
call using kprobes ?
Thanks a lot for your help.
>
> Thanks,
> Rajat
>
> On Thu, Dec 29, 2011 at 12:12 PM, Gaurav Saxena <grvsaxena419@gmail.com>
> wrote:
>> Hello Rajat, Thanks for your reply.
>>
>> On 12/28/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>> wrapfs needs the underlying filesystem to be already mounted and then
>>> it attaches itself on top of this mount point.
>> Ok That means it will replace the specific file system operations with
>> its own operations ? And then call the specific operations from
>> itself? Doesn't it then requires a different operation for each file
>> system ?
>>>Thats the whole idea of
>>> stacking one to one VFS objects from wrapfs to underlying FS objects.
>>> So it assumes that / to be already mounted. And you would want to
>>> attach to a route volume as soon as possible, so entering wrapfs mount
>>> entry in /etc/fstab just after / entry should be good enough.
>> Do I need volumes for using wrapfs ? Or simple partitioning would
>> suffice ? It sounds quite good I would look at this.
>>>
>>> Thanks,
>>> Rajat
>>>
>>> On Wed, Dec 28, 2011 at 11:29 AM, Gaurav Saxena <grvsaxena419@gmail.com>
>>> wrote:
>>>> Hello Rajat Thanks for your reply.
>>>>
>>>> On Mon, Dec 26, 2011 at 11:23 AM, Rajat Sharma <fs.rajat@gmail.com>
>>>> wrote:
>>>>> Hi Gaurav,
>>>>>
>>>>> I would suggest to take a wrapfs source (a null stackable file-system)
>>>>> and customize it for your need. Well Erez (wrapfs author) puts his
>>>>> continuous efforts in stabilizing wrapfs and porting to new kernels
>>>>> and he is approachable too. In-fact he has acknowledged on of my patch
>>>>> and merged it into wrapfs tree.
>>>> Is there a way to mount "/" on such file system ? Like I want to
>>>> monitor / for changes like unlink or modified write. Would I be able
>>>> to see such changes using wrapfs. As by default on the systems "/"
>>>> would be mounted as  ext4 filesystem.
>>>>>
>>>>> Agreed that you can do stuffs like patching system call table but I
>>>>> (and most of us here) would categorize that as pure hack, as there
>>>>> exist no framework provided by kernel to do that. Also any approach
>>>>> you take to patch system call table won't be stable.
>>>> Yes I agree with you I want to do this using a method which is not a
>>>> hack, so that the support remains with all the versions of kernel
>>>> rather than a trick that works in a limited way.
>>>>>
>>>>> Thanks,
>>>>> Rajat
>>>>>
>>>>> On Sat, Dec 24, 2011 at 2:39 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>>>>> wrote:
>>>>>> Hello all,
>>>>>>
>>>>>> I am writing an application which would create a backup for the system
>>>>>> so that it could be restored as it is. For example I create a backup
>>>>>> using my application. I just do nothing at time of backup so it would
>>>>>> be fast. Now whenever I see any deletion I would save that file so
>>>>>> that I could restore it. Also I would like to see for
>>>>>> modification/rename. I cannot do this using inotify as I would be
>>>>>> notified after actual deletion/write. I don't want to use SELinux
>>>>>> because I want to implement this on existing installed system. I was
>>>>>> earlier thinking of replacing system calls for open/unlink with my
>>>>>> custom calls which will call my functions before actual work and then
>>>>>> I would decide what to do I would also want to reject unlink request
>>>>>> for some of the files. But as I now know that its not working in
>>>>>> linux>3.0 . I had also seen dazuko which is not supporting linux>3.0
>>>>>> yet. Also there used to be a redirfs which used to work earlier but
>>>>>> the latest kernel is not supported yet. I think a method could be to
>>>>>> replace unlink in syscall table with my unlink function but I don't
>>>>>> find any good method of doing that, as syscall table is no longer
>>>>>> exported. I would like to implement this in a kernel module instead of
>>>>>> modifying kernel code itself. Please suggest some method of doing
>>>>>> that.
>>>>>> Thanks to you all for your help.
>>>>>>
>>>>>> --
>>>>>> Thanks and Regards ,
>>>>>> Gaurav
>>>>>> --
>>>>>> To unsubscribe from this list: send the line "unsubscribe
>>>>>> linux-fsdevel"
>>>>>> in
>>>>>> the body of a message to majordomo@vger.kernel.org
>>>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks and Regards ,
>>>> Gaurav
>>>
>>
>>
>> --
>> Thanks and Regards ,
>> Gaurav
>


-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Rajat Sharma]

Well kprobe is:

1. meant to instrument debugging while developing
2. Is configured with kernel configuration parameters which you can
not guarantee to be configured on deployment site.
3. slower as it works with debugger break point instruction and single
stepping mode.
4. probing into an instruction and altering behavior might not scale
across kernel version and interface changes.

But yes, you can technically capture any kernel instruction's virtual
address and probe into it. Building solution on top of such
instrumentation -- HACK!! :)

Did you try looking for LSM as well?

-Rajat

On Thu, Dec 29, 2011 at 3:53 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>> I would suggest that you go through the stackable FS documentation
>> maintained with wrapfs website:
>>
>> http://wrapfs.filesystems.org/docs/linux-stacking/index.html
>>
>> there is no replacement of fops, that again I would categorize as pure
>> "HACK". Here you build a stack of FS on top of existing one. so stack
>> fs appears as regular FS to VFS layer and as VFS to lower FS, it just
>> fits in between VFS and lower FS. To do it tranparent to applications
>> you need to mount wrapfs on the same mount point as lower fs so that
>> you hide direct exposure to lower FS and application can still assume
>> same file paths as lower FS.
> I am going through their documentation. I see this means I could
> intercept in between for filesystems on which I mount this file system
> and thus could do what I want to do. I can skip entire system calls I
> suppose. Also I am thinking of KProbes is it possible to skip system
> call using kprobes ?
> Thanks a lot for your help.
>>
>> Thanks,
>> Rajat
>>
>> On Thu, Dec 29, 2011 at 12:12 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>> wrote:
>>> Hello Rajat, Thanks for your reply.
>>>
>>> On 12/28/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>>> wrapfs needs the underlying filesystem to be already mounted and then
>>>> it attaches itself on top of this mount point.
>>> Ok That means it will replace the specific file system operations with
>>> its own operations ? And then call the specific operations from
>>> itself? Doesn't it then requires a different operation for each file
>>> system ?
>>>>Thats the whole idea of
>>>> stacking one to one VFS objects from wrapfs to underlying FS objects.
>>>> So it assumes that / to be already mounted. And you would want to
>>>> attach to a route volume as soon as possible, so entering wrapfs mount
>>>> entry in /etc/fstab just after / entry should be good enough.
>>> Do I need volumes for using wrapfs ? Or simple partitioning would
>>> suffice ? It sounds quite good I would look at this.
>>>>
>>>> Thanks,
>>>> Rajat
>>>>
>>>> On Wed, Dec 28, 2011 at 11:29 AM, Gaurav Saxena <grvsaxena419@gmail.com>
>>>> wrote:
>>>>> Hello Rajat Thanks for your reply.
>>>>>
>>>>> On Mon, Dec 26, 2011 at 11:23 AM, Rajat Sharma <fs.rajat@gmail.com>
>>>>> wrote:
>>>>>> Hi Gaurav,
>>>>>>
>>>>>> I would suggest to take a wrapfs source (a null stackable file-system)
>>>>>> and customize it for your need. Well Erez (wrapfs author) puts his
>>>>>> continuous efforts in stabilizing wrapfs and porting to new kernels
>>>>>> and he is approachable too. In-fact he has acknowledged on of my patch
>>>>>> and merged it into wrapfs tree.
>>>>> Is there a way to mount "/" on such file system ? Like I want to
>>>>> monitor / for changes like unlink or modified write. Would I be able
>>>>> to see such changes using wrapfs. As by default on the systems "/"
>>>>> would be mounted as  ext4 filesystem.
>>>>>>
>>>>>> Agreed that you can do stuffs like patching system call table but I
>>>>>> (and most of us here) would categorize that as pure hack, as there
>>>>>> exist no framework provided by kernel to do that. Also any approach
>>>>>> you take to patch system call table won't be stable.
>>>>> Yes I agree with you I want to do this using a method which is not a
>>>>> hack, so that the support remains with all the versions of kernel
>>>>> rather than a trick that works in a limited way.
>>>>>>
>>>>>> Thanks,
>>>>>> Rajat
>>>>>>
>>>>>> On Sat, Dec 24, 2011 at 2:39 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>>>>>> wrote:
>>>>>>> Hello all,
>>>>>>>
>>>>>>> I am writing an application which would create a backup for the system
>>>>>>> so that it could be restored as it is. For example I create a backup
>>>>>>> using my application. I just do nothing at time of backup so it would
>>>>>>> be fast. Now whenever I see any deletion I would save that file so
>>>>>>> that I could restore it. Also I would like to see for
>>>>>>> modification/rename. I cannot do this using inotify as I would be
>>>>>>> notified after actual deletion/write. I don't want to use SELinux
>>>>>>> because I want to implement this on existing installed system. I was
>>>>>>> earlier thinking of replacing system calls for open/unlink with my
>>>>>>> custom calls which will call my functions before actual work and then
>>>>>>> I would decide what to do I would also want to reject unlink request
>>>>>>> for some of the files. But as I now know that its not working in
>>>>>>> linux>3.0 . I had also seen dazuko which is not supporting linux>3.0
>>>>>>> yet. Also there used to be a redirfs which used to work earlier but
>>>>>>> the latest kernel is not supported yet. I think a method could be to
>>>>>>> replace unlink in syscall table with my unlink function but I don't
>>>>>>> find any good method of doing that, as syscall table is no longer
>>>>>>> exported. I would like to implement this in a kernel module instead of
>>>>>>> modifying kernel code itself. Please suggest some method of doing
>>>>>>> that.
>>>>>>> Thanks to you all for your help.
>>>>>>>
>>>>>>> --
>>>>>>> Thanks and Regards ,
>>>>>>> Gaurav
>>>>>>> --
>>>>>>> To unsubscribe from this list: send the line "unsubscribe
>>>>>>> linux-fsdevel"
>>>>>>> in
>>>>>>> the body of a message to majordomo@vger.kernel.org
>>>>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks and Regards ,
>>>>> Gaurav
>>>>
>>>
>>>
>>> --
>>> Thanks and Regards ,
>>> Gaurav
>>
>
>
> --
> Thanks and Regards ,
> Gaurav
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Intercepting system calls

[Gaurav Saxena]

On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
> Well kprobe is:
>
> 1. meant to instrument debugging while developing
> 2. Is configured with kernel configuration parameters which you can
> not guarantee to be configured on deployment site.
> 3. slower as it works with debugger break point instruction and single
> stepping mode.
> 4. probing into an instruction and altering behavior might not scale
> across kernel version and interface changes.
>
> But yes, you can technically capture any kernel instruction's virtual
> address and probe into it. Building solution on top of such
> instrumentation -- HACK!! :)
Ok Thanks. I see it will be real slow then as its only a debugging
mechanism, I also found a hack which uses a kprobe based approach and
adds a jump code to beginning of system calls. Yes I agree with you ,
I don't want hack which needs to be changed with kernel versions or
depends on configuration of kernel.
I will give a try to wrapfs today. :) Is it too a hack ?
>
> Did you try looking for LSM as well?
LSM projects like SELinux ? Actually they need kernel rebuild/
reinstall thus I would try not to go for such options.
>
> -Rajat
>

-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Rajat Sharma]

well ecryptfs which ships with mainline linux kernel is based upon
stackable approach (wrapfs), do you call it hack? :)

On Thu, Dec 29, 2011 at 5:36 PM, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>> Well kprobe is:
>>
>> 1. meant to instrument debugging while developing
>> 2. Is configured with kernel configuration parameters which you can
>> not guarantee to be configured on deployment site.
>> 3. slower as it works with debugger break point instruction and single
>> stepping mode.
>> 4. probing into an instruction and altering behavior might not scale
>> across kernel version and interface changes.
>>
>> But yes, you can technically capture any kernel instruction's virtual
>> address and probe into it. Building solution on top of such
>> instrumentation -- HACK!! :)
> Ok Thanks. I see it will be real slow then as its only a debugging
> mechanism, I also found a hack which uses a kprobe based approach and
> adds a jump code to beginning of system calls. Yes I agree with you ,
> I don't want hack which needs to be changed with kernel versions or
> depends on configuration of kernel.
> I will give a try to wrapfs today. :) Is it too a hack ?
>>
>> Did you try looking for LSM as well?
> LSM projects like SELinux ? Actually they need kernel rebuild/
> reinstall thus I would try not to go for such options.
>>
>> -Rajat
>>
>
> --
> Thanks and Regards ,
> Gaurav

Re: Intercepting system calls

[Gaurav Saxena]

On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
> well ecryptfs which ships with mainline linux kernel is based upon
> stackable approach (wrapfs), do you call it hack? :)
Ok. I will try to use wrapfs but it seems its quite old and inactive
too. I would have to write a new filesystem extending wrapfs it seems.
I would work upon it and ask for help when I get problems. :)
Thanks a lot for helping me.
>
> On Thu, Dec 29, 2011 at 5:36 PM, Gaurav Saxena <grvsaxena419@gmail.com>
> wrote:
>> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>> Well kprobe is:
>>>
>>> 1. meant to instrument debugging while developing
>>> 2. Is configured with kernel configuration parameters which you can
>>> not guarantee to be configured on deployment site.
>>> 3. slower as it works with debugger break point instruction and single
>>> stepping mode.
>>> 4. probing into an instruction and altering behavior might not scale
>>> across kernel version and interface changes.
>>>
>>> But yes, you can technically capture any kernel instruction's virtual
>>> address and probe into it. Building solution on top of such
>>> instrumentation -- HACK!! :)
>> Ok Thanks. I see it will be real slow then as its only a debugging
>> mechanism, I also found a hack which uses a kprobe based approach and
>> adds a jump code to beginning of system calls. Yes I agree with you ,
>> I don't want hack which needs to be changed with kernel versions or
>> depends on configuration of kernel.
>> I will give a try to wrapfs today. :) Is it too a hack ?
>>>
>>> Did you try looking for LSM as well?
>> LSM projects like SELinux ? Actually they need kernel rebuild/
>> reinstall thus I would try not to go for such options.
>>>
>>> -Rajat
>>>
>>
>> --
>> Thanks and Regards ,
>> Gaurav
>


-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Rajat Sharma]

You could probably trim down ecryptfs and customize it as per your
need. It has advantage of being in mainline. Just remove encryption
part of it. I wish if Linux provided a framework to do the same.

-Rajat

On Thu, Dec 29, 2011 at 6:37 PM, rohan puri <rohan.puri15@gmail.com> wrote:
>
>
> On Thu, Dec 29, 2011 at 6:02 PM, Gaurav Saxena <grvsaxena419@gmail.com>
> wrote:
>>
>> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>> > well ecryptfs which ships with mainline linux kernel is based upon
>> > stackable approach (wrapfs), do you call it hack? :)
>> Ok. I will try to use wrapfs but it seems its quite old and inactive
>> too. I would have to write a new filesystem extending wrapfs it seems.
>> I would work upon it and ask for help when I get problems. :)
>> Thanks a lot for helping me.
>> >
>> > On Thu, Dec 29, 2011 at 5:36 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>> > wrote:
>> >> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>> >>> Well kprobe is:
>> >>>
>> >>> 1. meant to instrument debugging while developing
>> >>> 2. Is configured with kernel configuration parameters which you can
>> >>> not guarantee to be configured on deployment site.
>> >>> 3. slower as it works with debugger break point instruction and single
>> >>> stepping mode.
>> >>> 4. probing into an instruction and altering behavior might not scale
>> >>> across kernel version and interface changes.
>> >>>
>> >>> But yes, you can technically capture any kernel instruction's virtual
>> >>> address and probe into it. Building solution on top of such
>> >>> instrumentation -- HACK!! :)
>> >> Ok Thanks. I see it will be real slow then as its only a debugging
>> >> mechanism, I also found a hack which uses a kprobe based approach and
>> >> adds a jump code to beginning of system calls. Yes I agree with you ,
>> >> I don't want hack which needs to be changed with kernel versions or
>> >> depends on configuration of kernel.
>> >> I will give a try to wrapfs today. :) Is it too a hack ?
>> >>>
>> >>> Did you try looking for LSM as well?
>> >> LSM projects like SELinux ? Actually they need kernel rebuild/
>> >> reinstall thus I would try not to go for such options.
>> >>>
>> >>> -Rajat
>> >>>
>> >>
>> >> --
>> >> Thanks and Regards ,
>> >> Gaurav
>> >
>>
>>
>> --
>> Thanks and Regards ,
>> Gaurav
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel"
>> in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
> Just to let you know, you can make use of
> http://gauravnaigaonkar.web.officelive.com/Documents/hw2.txt as a reference
> on how to write a stackable file system. This is for linux kernel version
> 2.6.26
>
> Regards,
> Rohan Puri
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Intercepting system calls

[Gaurav Saxena]

Hello Rohan , Thanks a lot for help. :)

On 12/29/11, rohan puri <rohan.puri15@gmail.com> wrote:
> On Thu, Dec 29, 2011 at 6:02 PM, Gaurav Saxena
> <grvsaxena419@gmail.com>wrote:
>
>> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>> > well ecryptfs which ships with mainline linux kernel is based upon
>> > stackable approach (wrapfs), do you call it hack? :)
>> Ok. I will try to use wrapfs but it seems its quite old and inactive
>> too. I would have to write a new filesystem extending wrapfs it seems.
>> I would work upon it and ask for help when I get problems. :)
>> Thanks a lot for helping me.
>> >
>> > On Thu, Dec 29, 2011 at 5:36 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>> > wrote:
>> >> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>> >>> Well kprobe is:
>> >>>
>> >>> 1. meant to instrument debugging while developing
>> >>> 2. Is configured with kernel configuration parameters which you can
>> >>> not guarantee to be configured on deployment site.
>> >>> 3. slower as it works with debugger break point instruction and single
>> >>> stepping mode.
>> >>> 4. probing into an instruction and altering behavior might not scale
>> >>> across kernel version and interface changes.
>> >>>
>> >>> But yes, you can technically capture any kernel instruction's virtual
>> >>> address and probe into it. Building solution on top of such
>> >>> instrumentation -- HACK!! :)
>> >> Ok Thanks. I see it will be real slow then as its only a debugging
>> >> mechanism, I also found a hack which uses a kprobe based approach and
>> >> adds a jump code to beginning of system calls. Yes I agree with you ,
>> >> I don't want hack which needs to be changed with kernel versions or
>> >> depends on configuration of kernel.
>> >> I will give a try to wrapfs today. :) Is it too a hack ?
>> >>>
>> >>> Did you try looking for LSM as well?
>> >> LSM projects like SELinux ? Actually they need kernel rebuild/
>> >> reinstall thus I would try not to go for such options.
>> >>>
>> >>> -Rajat
>> >>>
>> >>
>> >> --
>> >> Thanks and Regards ,
>> >> Gaurav
>> >
>>
>>
>> --
>> Thanks and Regards ,
>> Gaurav
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel"
>> in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
> Just to let you know, you can make use of
> http://gauravnaigaonkar.web.officelive.com/Documents/hw2.txt as a reference
> on how to write a stackable file system. This is for linux kernel version
> 2.6.26
>
> Regards,
> Rohan Puri
>


-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Gaurav Saxena]

On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
> You could probably trim down ecryptfs and customize it as per your
> need. It has advantage of being in mainline. Just remove encryption
> part of it. I wish if Linux provided a framework to do the same.
Ok, I will do that ecryptfs is part of kernel source I see. I would
try doing the same. Yes ofcourse that would have been really great.
Thanks for your help :).
>
> -Rajat
>
> On Thu, Dec 29, 2011 at 6:37 PM, rohan puri <rohan.puri15@gmail.com> wrote:
>>
>>
>> On Thu, Dec 29, 2011 at 6:02 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>> wrote:
>>>
>>> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>> > well ecryptfs which ships with mainline linux kernel is based upon
>>> > stackable approach (wrapfs), do you call it hack? :)
>>> Ok. I will try to use wrapfs but it seems its quite old and inactive
>>> too. I would have to write a new filesystem extending wrapfs it seems.
>>> I would work upon it and ask for help when I get problems. :)
>>> Thanks a lot for helping me.
>>> >
>>> > On Thu, Dec 29, 2011 at 5:36 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>>> > wrote:
>>> >> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>> >>> Well kprobe is:
>>> >>>
>>> >>> 1. meant to instrument debugging while developing
>>> >>> 2. Is configured with kernel configuration parameters which you can
>>> >>> not guarantee to be configured on deployment site.
>>> >>> 3. slower as it works with debugger break point instruction and
>>> >>> single
>>> >>> stepping mode.
>>> >>> 4. probing into an instruction and altering behavior might not scale
>>> >>> across kernel version and interface changes.
>>> >>>
>>> >>> But yes, you can technically capture any kernel instruction's virtual
>>> >>> address and probe into it. Building solution on top of such
>>> >>> instrumentation -- HACK!! :)
>>> >> Ok Thanks. I see it will be real slow then as its only a debugging
>>> >> mechanism, I also found a hack which uses a kprobe based approach and
>>> >> adds a jump code to beginning of system calls. Yes I agree with you ,
>>> >> I don't want hack which needs to be changed with kernel versions or
>>> >> depends on configuration of kernel.
>>> >> I will give a try to wrapfs today. :) Is it too a hack ?
>>> >>>
>>> >>> Did you try looking for LSM as well?
>>> >> LSM projects like SELinux ? Actually they need kernel rebuild/
>>> >> reinstall thus I would try not to go for such options.
>>> >>>
>>> >>> -Rajat
>>> >>>
>>> >>
>>> >> --
>>> >> Thanks and Regards ,
>>> >> Gaurav
>>> >
>>>
>>>
>>> --
>>> Thanks and Regards ,
>>> Gaurav
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel"
>>> in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>
>> Just to let you know, you can make use of
>> http://gauravnaigaonkar.web.officelive.com/Documents/hw2.txt as a
>> reference
>> on how to write a stackable file system. This is for linux kernel version
>> 2.6.26
>>
>> Regards,
>> Rohan Puri
>


-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Gaurav Saxena]

Do I need to change kernel code in order to get stackable fs working ?
Also I tried to change ecryptfs but it doesn't compile outside the
kernel directory. Could a stackable fs be loaded as a kernel module ?

On 12/29/11, Gaurav Saxena <grvsaxena419@gmail.com> wrote:
> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>> You could probably trim down ecryptfs and customize it as per your
>> need. It has advantage of being in mainline. Just remove encryption
>> part of it. I wish if Linux provided a framework to do the same.
> Ok, I will do that ecryptfs is part of kernel source I see. I would
> try doing the same. Yes ofcourse that would have been really great.
> Thanks for your help :).
>>
>> -Rajat
>>
>> On Thu, Dec 29, 2011 at 6:37 PM, rohan puri <rohan.puri15@gmail.com>
>> wrote:
>>>
>>>
>>> On Thu, Dec 29, 2011 at 6:02 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>>> wrote:
>>>>
>>>> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>>> > well ecryptfs which ships with mainline linux kernel is based upon
>>>> > stackable approach (wrapfs), do you call it hack? :)
>>>> Ok. I will try to use wrapfs but it seems its quite old and inactive
>>>> too. I would have to write a new filesystem extending wrapfs it seems.
>>>> I would work upon it and ask for help when I get problems. :)
>>>> Thanks a lot for helping me.
>>>> >
>>>> > On Thu, Dec 29, 2011 at 5:36 PM, Gaurav Saxena
>>>> > <grvsaxena419@gmail.com>
>>>> > wrote:
>>>> >> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>>> >>> Well kprobe is:
>>>> >>>
>>>> >>> 1. meant to instrument debugging while developing
>>>> >>> 2. Is configured with kernel configuration parameters which you can
>>>> >>> not guarantee to be configured on deployment site.
>>>> >>> 3. slower as it works with debugger break point instruction and
>>>> >>> single
>>>> >>> stepping mode.
>>>> >>> 4. probing into an instruction and altering behavior might not
>>>> >>> scale
>>>> >>> across kernel version and interface changes.
>>>> >>>
>>>> >>> But yes, you can technically capture any kernel instruction's
>>>> >>> virtual
>>>> >>> address and probe into it. Building solution on top of such
>>>> >>> instrumentation -- HACK!! :)
>>>> >> Ok Thanks. I see it will be real slow then as its only a debugging
>>>> >> mechanism, I also found a hack which uses a kprobe based approach
>>>> >> and
>>>> >> adds a jump code to beginning of system calls. Yes I agree with you
>>>> >> ,
>>>> >> I don't want hack which needs to be changed with kernel versions or
>>>> >> depends on configuration of kernel.
>>>> >> I will give a try to wrapfs today. :) Is it too a hack ?
>>>> >>>
>>>> >>> Did you try looking for LSM as well?
>>>> >> LSM projects like SELinux ? Actually they need kernel rebuild/
>>>> >> reinstall thus I would try not to go for such options.
>>>> >>>
>>>> >>> -Rajat
>>>> >>>
>>>> >>
>>>> >> --
>>>> >> Thanks and Regards ,
>>>> >> Gaurav
>>>> >
>>>>
>>>>
>>>> --
>>>> Thanks and Regards ,
>>>> Gaurav
>>>> --
>>>> To unsubscribe from this list: send the line "unsubscribe
>>>> linux-fsdevel"
>>>> in
>>>> the body of a message to majordomo@vger.kernel.org
>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>>
>>> Just to let you know, you can make use of
>>> http://gauravnaigaonkar.web.officelive.com/Documents/hw2.txt as a
>>> reference
>>> on how to write a stackable file system. This is for linux kernel
>>> version
>>> 2.6.26
>>>
>>> Regards,
>>> Rohan Puri
>>
>
>
> --
> Thanks and Regards ,
> Gaurav
>


-- 
Thanks and Regards ,
Gaurav

Re: Intercepting system calls

[Gaurav Saxena]

Hello again.
I started on wrapfs, its nice and I can use it for my purpose but I
need help on using it transparently. I modified unlink call a bit and
so I now want to test wrapfs on my system. I could use it using
> mount -t wrapfs /root /mnt/tmp
Now if I unlink files from /mnt/tmp wrapfa unlink is called but I want
to do this transparently ie. I want to mount /root on itself so that
requests to delete files in /root goes through wrapfs. But I am unable
to do this I tried
> mount -t wrapfs -O /root
As described for overlay mounts but this is not working as this does
not result in mount call. How can I use wrapfs for overlay mounts ? Or
this is not possible ?

On Thu, Dec 29, 2011 at 6:42 PM, Rajat Sharma <fs.rajat@gmail.com> wrote:
> You could probably trim down ecryptfs and customize it as per your
> need. It has advantage of being in mainline. Just remove encryption
> part of it. I wish if Linux provided a framework to do the same.
>
> -Rajat
>
> On Thu, Dec 29, 2011 at 6:37 PM, rohan puri <rohan.puri15@gmail.com> wrote:
>>
>>
>> On Thu, Dec 29, 2011 at 6:02 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>> wrote:
>>>
>>> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>> > well ecryptfs which ships with mainline linux kernel is based upon
>>> > stackable approach (wrapfs), do you call it hack? :)
>>> Ok. I will try to use wrapfs but it seems its quite old and inactive
>>> too. I would have to write a new filesystem extending wrapfs it seems.
>>> I would work upon it and ask for help when I get problems. :)
>>> Thanks a lot for helping me.
>>> >
>>> > On Thu, Dec 29, 2011 at 5:36 PM, Gaurav Saxena <grvsaxena419@gmail.com>
>>> > wrote:
>>> >> On 12/29/11, Rajat Sharma <fs.rajat@gmail.com> wrote:
>>> >>> Well kprobe is:
>>> >>>
>>> >>> 1. meant to instrument debugging while developing
>>> >>> 2. Is configured with kernel configuration parameters which you can
>>> >>> not guarantee to be configured on deployment site.
>>> >>> 3. slower as it works with debugger break point instruction and single
>>> >>> stepping mode.
>>> >>> 4. probing into an instruction and altering behavior might not scale
>>> >>> across kernel version and interface changes.
>>> >>>
>>> >>> But yes, you can technically capture any kernel instruction's virtual
>>> >>> address and probe into it. Building solution on top of such
>>> >>> instrumentation -- HACK!! :)
>>> >> Ok Thanks. I see it will be real slow then as its only a debugging
>>> >> mechanism, I also found a hack which uses a kprobe based approach and
>>> >> adds a jump code to beginning of system calls. Yes I agree with you ,
>>> >> I don't want hack which needs to be changed with kernel versions or
>>> >> depends on configuration of kernel.
>>> >> I will give a try to wrapfs today. :) Is it too a hack ?
>>> >>>
>>> >>> Did you try looking for LSM as well?
>>> >> LSM projects like SELinux ? Actually they need kernel rebuild/
>>> >> reinstall thus I would try not to go for such options.
>>> >>>
>>> >>> -Rajat
>>> >>>
>>> >>
>>> >> --
>>> >> Thanks and Regards ,
>>> >> Gaurav
>>> >
>>>
>>>
>>> --
>>> Thanks and Regards ,
>>> Gaurav
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel"
>>> in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>
>> Just to let you know, you can make use of
>> http://gauravnaigaonkar.web.officelive.com/Documents/hw2.txt as a reference
>> on how to write a stackable file system. This is for linux kernel version
>> 2.6.26
>>
>> Regards,
>> Rohan Puri



-- 
Thanks and Regards ,
Gaurav
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Intercepting system calls

[Bryan Donlan]

2010/2/5 Oleg Kutkov <elenbert@gmail.com>:
> Hello. l need to capture and process outgoing and incoming packets from all
> network interfaces, include virtual interfaces. So I try to overload socket
> and if_rx. I'm not found another way to do that.

Why not just use libpcap?

Re: Intercepting system calls

[Bryan Donlan]

On Thu, Feb 4, 2010 at 2:00 PM, Oleg Kutkov <elenbert@gmail.com> wrote:
> Hello.
> Maybe this question is often, but all post i found is too old and some
> things is wrong...
> So, i need to intercept some system calls (socket calls) and make my own
> handler.
> Is there legal, correct and clean way to do it, without hacking system call
> table ?
> Thank.

Why do you need to do this? There may be a better way than overriding syscalls.

Intercepting system calls

[Oleg Kutkov]

Hello.
Maybe this question is often, but all post i found is too old and some 
things is wrong...
So, i need to intercept some system calls (socket calls) and make my own 
handler.
Is there legal, correct and clean way to do it, without hacking system 
call table ?
Thank.

Best regards,
Oleg.

Re: Intercepting system calls

[Steven Rostedt]

On Mon, 2004-12-20 at 20:22 -0800, selvakumar nagendran wrote:
>     I want to intercept system calls that are provided
> for IPC in Linux. I have to determine whether a
> process blocks while executing a system call and I
> must save the arguments passed to that system call.
>     Can I modify the system call source code directly
> for this? or if I want the system calls to refer my
> module, how should I do that? can anyone explain for
> this, if possible with some code?..

Do you have to do this in the kernel? Have you taken a look at ptrace?
Especially PTRACE_SYSCALL (man ptrace).  Although it may be trickier to
know if it blocked or not, but it should still be possible to do
entirely from user land, and thus easier to write/debug.

-- Steve

Re: Intercepting system calls

[Lee Revell]

On Mon, 2004-12-20 at 20:22 -0800, selvakumar nagendran wrote:
>     Can I modify the system call source code directly
> for this?

Yes.

>  or if I want the system calls to refer my
> module, how should I do that?

EXPORT_SYMBOL

Lee

Intercepting system calls

[selvakumar nagendran]

    I want to intercept system calls that are provided
for IPC in Linux. I have to determine whether a
process blocks while executing a system call and I
must save the arguments passed to that system call.
    Can I modify the system call source code directly
for this? or if I want the system calls to refer my
module, how should I do that? can anyone explain for
this, if possible with some code?..

Thanks,
selva


		
__________________________________ 
Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 
http://my.yahoo.com