good afternoon,
I'm searching for a way to trace/intercept syscalls, both before and
after execution. "ptrace" is not an option (you probably know why).
I've found CONFIG_AUDIT and CONFIG_AUDITSYSCALL, which offer
"audit_syscall_entry" and "audit_syscall_exit", but I dont know
how to use this. Also, the comment in kernel/auditsc.c reads:
* The method for actual interception of syscall entry and exit (not in
* this file -- see entry.S) is based on a GPL'd patch written by
* [email protected] and Copyright 2003 SuSE Linux AG.
So, am I looking in the wrong file?
I just cant see how this software communicates with user-space,
there is no "register_xxx" (or whatever) in the source-files.
Is it neccessary to write an additional module (like se-linux does)
which makes use of audit and exports its own functionality to
userspace?
So far, in the audit-1.1.5 deamon, I've only found a PF_NETLINK/NETLINK_AUDIT
socket. *Is* this it?
What's additionally confusing me is that linux/Documentation/devices.txt
says that "block 130 minor 0 = Audit device", yet, allthugh I'm running
with 2.6.16 + CONFIG_AUDIT & CONFIG_AUDITSYSCALL, there just is no
block dev 130 in /proc/devices. Is the entry in devices.txt wrong?
regards,
h.rosmanith
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]