From: valdis.kletnieks@vt.edu (valdis.kletnieks at vt.edu)
To: kernelnewbies@lists.kernelnewbies.org
Subject: Keeping track of called syscalls in real-time
Date: Wed, 28 Jun 2017 18:26:28 -0400 [thread overview]
Message-ID: <47802.1498688788@turing-police.cc.vt.edu> (raw)
In-Reply-To: <19bc9ba9-5a95-7a4d-3763-57f3f695ef7f@seds.nl>
On Wed, 28 Jun 2017 19:06:56 -0300, Ben Mezger said:
> I'm actually formulating my thesis project. I am looking for a way to
> intercept system calls (those chosen by the users), where I can keep
> track of what syscall has been called and by who.
As I said before - knowing this, what do you *do* with it? Statistics
after the fact? Apply security rules before the fact? Something else?
The answer depends *a lot* on what you're planning to *do* with the info.
> A big picture of the _main_ idea of interception would be: Application
> called a syscall -> Intercept and delay call -> do something before the
> call -> return back to the syscall.
"Do something before the syscall".
Congrats - you just re-invented the LSM subsystem. Or possibly seccomp,
depending on what it is you're trying to accomplish.
Note that LSM's have some restrictions on what they can and can't do,
mostly because it's otherwise almost impossible to do any reasoning about
the security and stability guarantees of a process/system otherwise.
> By real-time I mean as soon as an application called a syscall (i.e.
> fopen), I could then receive a reply from the kernel informing me X
> called fopen, where X could be a pid or whatever.
Yes, but the question is "what value of "I then receive" appropriate?
Do you need it before the syscall is executed? After it is finished?
Or "don't care at all as long as we eventually get a complete trail"?
> >> Have you looked at the syscall audit facility?
>
> I have not. Are you talking about auditctl?
That's part of the userspace utilities that interface to the audit system.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170628/44fa1b2d/attachment.bin
next prev parent reply other threads:[~2017-06-28 22:26 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-28 20:48 Keeping track of called syscalls in real-time Ben Mezger
2017-06-28 21:19 ` valdis.kletnieks at vt.edu
2017-06-28 22:06 ` Ben Mezger
2017-06-28 22:26 ` valdis.kletnieks at vt.edu [this message]
2017-06-28 23:16 ` Ben Mezger
2017-06-29 0:49 ` W. Michael Petullo
2017-06-29 13:45 ` Ben Mezger
2017-06-29 1:19 ` valdis.kletnieks at vt.edu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47802.1498688788@turing-police.cc.vt.edu \
--to=valdis.kletnieks@vt.edu \
--cc=kernelnewbies@lists.kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.