How to find path of an executable in a kernel module - Linux

This is a discussion on How to find path of an executable in a kernel module - Linux ; Dear All, How to find the path of a running process in HDD ? e.g. a process name myproc is running currently . In hard disk it's executable is stored in /home/myproc. I want to write a module.In that particular ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: How to find path of an executable in a kernel module

  1. How to find path of an executable in a kernel module

    Dear All,

    How to find the path of a running process in HDD ?
    e.g. a process name myproc is running currently . In hard disk it's
    executable is stored in /home/myproc.
    I want to write a module.In that particular module, i want to print
    the path of this current process(/home/proc).

    I am trying to use current->proc_dentry->d_name.name ,

    I am getting segfault ...iam trying with many other things as well but
    not been able to solve the problem. Can anyone please guide me
    through.
    I shall be thankful.

    Regards,
    Ashish

  2. Re: How to find path of an executable in a kernel module

    Ashish Kumar writes:

    > Dear All,
    >
    > How to find the path of a running process in HDD ?


    Which path? A file can have zero, one, or many different names.
    Furthermore, a process need not be associated with a file at all.

    --
    Måns Rullgård
    mans@mansr.com

  3. Re: How to find path of an executable in a kernel module

    On Dec 7, 1:13 am, Måns Rullgård wrote:

    > Which path? A file can have zero, one, or many different names.
    > Furthermore, a process need not be associated with a file at all.


    I know it's possible to get the original path by which the file was
    opened when the executable began its life. However, the file that that
    *now* points to, if any, may not have any relationship to the file
    that was opened when the executable began its life.

    From user-space, for example, try 'stat /proc/self/exe'. For a kernel-
    space example, look at proc_exe_link in fs/proc/task_mmu.c directory.

    The basic idea is you grab the task's mm context and look for an
    executable that's mmapped into the mm context as an executable. When/
    if you find one, you can look at its f_path field.

    DS

  4. Re: How to find path of an executable in a kernel module

    On Dec 7, 5:53 pm, David Schwartz wrote:
    > On Dec 7, 1:13 am, Måns Rullgård wrote:
    >
    > > Which path? A file can have zero, one, or many different names.
    > > Furthermore, a process need not be associated with a file at all.

    >
    > I know it's possible to get the original path by which the file was
    > opened when the executable began its life. However, the file that that
    > *now* points to, if any, may not have any relationship to the file
    > that was opened when the executable began its life.
    >
    > From user-space, for example, try 'stat /proc/self/exe'. For a kernel-
    > space example, look at proc_exe_link in fs/proc/task_mmu.c directory.
    >
    > The basic idea is you grab the task's mm context and look for an
    > executable that's mmapped into the mm context as an executable. When/
    > if you find one, you can look at its f_path field.
    >
    > DS



    Thanks David for the pointer ,Yes exactly that 'original path' we need
    to find in some kernel space ....
    I will try it and shall get back to you ...
    Probably using some of the Fops functions in VFS we can get that ...
    Thanks

  5. Re: How to find path of an executable in a kernel module

    On Dec 7, 2:13 pm, Måns Rullgård wrote:
    > Ashish Kumar writes:
    > > Dear All,

    >
    > > How to find the path of a running process in HDD ?

    >
    > Which path? A file can have zero, one, or many different names.
    > Furthermore, a process need not be associated with a file at all.
    >
    > --
    > Måns Rullgård
    > m...@mansr.com


    But initially for a user space a process started by running some
    executable.
    say i made an exe named a.out in /home/Ashish ...
    now i give ./a.out ....
    Now this a.out process is running ...
    So now i have to write some kernel module which captures the pathname
    of this executable a.out from where the process a.out was started ....
    Hmm i guess i m able to express the problem to some extent atleast

  6. Re: How to find path of an executable in a kernel module

    On Fri, 7 Dec 2007 22:08:42 -0800 (PST) Ashish Kumar wrote:
    | On Dec 7, 2:13 pm, M?ns Rullg?rd wrote:
    |> Ashish Kumar writes:
    |> > Dear All,
    |>
    |> > How to find the path of a running process in HDD ?
    |>
    |> Which path? A file can have zero, one, or many different names.
    |> Furthermore, a process need not be associated with a file at all.
    |>
    |> --
    |> M?ns Rullg?rd
    |> m...@mansr.com
    |
    | But initially for a user space a process started by running some
    | executable.
    | say i made an exe named a.out in /home/Ashish ...
    | now i give ./a.out ....
    | Now this a.out process is running ...
    | So now i have to write some kernel module which captures the pathname
    | of this executable a.out from where the process a.out was started ....
    | Hmm i guess i m able to express the problem to some extent atleast

    What if a.out, and the directory it was in, have been unlinked while the
    process is still running? Even if you think you would never do this, you
    really need to handle it, anyway, for a complete and correct program.
    Otherwise you are potentially creating a DoS exploit.

    Do you want the path that was running when the process was created by fork()
    or do you want the new path established by any subsequent execve() calls?

    I have noted that "lsof" can report the path of an executable that has been
    deleted (and it's current directory as well):

    foo 23747 phil cwd DIR 3,4 48 5022501 /home/phil/dummy (deleted)
    foo 23747 phil txt REG 3,4 44072 5022502 /home/phil/dummy/foo (deleted)

    So that info is clearly stored somewhever even within the reach of a user
    space program like lsof. Maybe see where lsof is getting it and do the
    same for your code.

    --
    |---------------------------------------/----------------------------------|
    | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    | first name lower case at ipal.net / spamtrap-2007-12-09-1027@ipal.net |
    |------------------------------------/-------------------------------------|

  7. Re: How to find path of an executable in a kernel module

    On Dec 9, 9:34 pm, phil-news-nos...@ipal.net wrote:
    > On Fri, 7 Dec 2007 22:08:42 -0800 (PST) Ashish Kumar wrote:
    > | On Dec 7, 2:13 pm, M?ns Rullg?rd wrote:
    > |> Ashish Kumar writes:
    > |> > Dear All,
    > |>
    > |> > How to find the path of a running process in HDD ?
    > |>
    > |> Which path? A file can have zero, one, or many different names.
    > |> Furthermore, a process need not be associated with a file at all.
    > |>
    > |> --
    > |> M?ns Rullg?rd
    > |> m...@mansr.com
    > |
    > | But initially for a user space a process started by running some
    > | executable.
    > | say i made an exe named a.out in /home/Ashish ...
    > | now i give ./a.out ....
    > | Now this a.out process is running ...
    > | So now i have to write some kernel module which captures the pathname
    > | of this executable a.out from where the process a.out was started ....
    > | Hmm i guess i m able to express the problem to some extent atleast
    >
    > What if a.out, and the directory it was in, have been unlinked while the
    > process is still running? Even if you think you would never do this, you
    > really need to handle it, anyway, for a complete and correct program.
    > Otherwise you are potentially creating a DoS exploit.
    >
    > Do you want the path that was running when the process was created by fork()
    > or do you want the new path established by any subsequent execve() calls?
    >
    > I have noted that "lsof" can report the path of an executable that has been
    > deleted (and it's current directory as well):
    >
    > foo 23747 phil cwd DIR 3,4 48 5022501 /home/phil/dummy (deleted)
    > foo 23747 phil txt REG 3,4 44072 5022502 /home/phil/dummy/foo (deleted)
    >
    > So that info is clearly stored somewhever even within the reach of a user
    > space program like lsof. Maybe see where lsof is getting it and do the
    > same for your code.
    >
    > --
    > |---------------------------------------/-----------------------------------|
    > | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    > | first name lower case at ipal.net / spamtrap-2007-12-09-1...@ipal.net |
    > |------------------------------------/--------------------------------------|


    It was easy
    just use the kernel method d_path() ....

    Thanks ,
    Ashish

  8. Re: How to find path of an executable in a kernel module

    On Dec 10, 3:42 pm, Ashish Kumar wrote:
    > On Dec 9, 9:34 pm, phil-news-nos...@ipal.net wrote:
    >
    >
    >
    >
    >
    > > On Fri, 7 Dec 2007 22:08:42 -0800 (PST) Ashish Kumar wrote:
    > > | On Dec 7, 2:13 pm, M?ns Rullg?rd wrote:
    > > |> Ashish Kumar writes:
    > > |> > Dear All,
    > > |>
    > > |> > How to find the path of a running process in HDD ?
    > > |>
    > > |> Which path? A file can have zero, one, or many different names.
    > > |> Furthermore, a process need not be associated with a file at all.
    > > |>
    > > |> --
    > > |> M?ns Rullg?rd
    > > |> m...@mansr.com
    > > |
    > > | But initially for a user space a process started by running some
    > > | executable.
    > > | say i made an exe named a.out in /home/Ashish ...
    > > | now i give ./a.out ....
    > > | Now this a.out process is running ...
    > > | So now i have to write some kernel module which captures the pathname
    > > | of this executable a.out from where the process a.out was started ....
    > > | Hmm i guess i m able to express the problem to some extent atleast

    >
    > > What if a.out, and the directory it was in, have been unlinked while the
    > > process is still running? Even if you think you would never do this, you
    > > really need to handle it, anyway, for a complete and correct program.
    > > Otherwise you are potentially creating a DoS exploit.

    >
    > > Do you want the path that was running when the process was created by fork()
    > > or do you want the new path established by any subsequent execve() calls?

    >
    > > I have noted that "lsof" can report the path of an executable that has been
    > > deleted (and it's current directory as well):

    >
    > > foo 23747 phil cwd DIR 3,4 48 5022501 /home/phil/dummy (deleted)
    > > foo 23747 phil txt REG 3,4 44072 5022502 /home/phil/dummy/foo (deleted)

    >
    > > So that info is clearly stored somewhever even within the reach of a user
    > > space program like lsof. Maybe see where lsof is getting it and do the
    > > same for your code.

    >
    > > --
    > > |---------------------------------------/------------------------------------|
    > > | Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
    > > | first name lower case at ipal.net / spamtrap-2007-12-09-1...@ipal.net |
    > > |------------------------------------/---------------------------------------|

    >
    > It was easy
    > just use the kernel method d_path() ....
    >
    > Thanks ,
    > Ashish- Hide quoted text -
    >
    > - Show quoted text -


    I just wrote few lines , code is not optimized though,

    char buf[100];
    char *s= buf;
    s = d_path(cur->fs->pwd, cur->fs->pwdmnt, buf, sizeof(buf));
    printk("NAME = %s\n",s);


    It seems working fine...

+ Reply to Thread