How to monitor Linux file system operations - Linux

This is a discussion on How to monitor Linux file system operations - Linux ; how Can I hook the linux file system? I want to moniter the operations on a file. I don't know whether the Linux file system provide the capability to hook the file_operation. can I only write a kernel module without ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: How to monitor Linux file system operations

  1. How to monitor Linux file system operations

    how Can I hook the linux file system?

    I want to moniter the operations on a file.

    I don't know whether the Linux file system provide the capability to
    hook the file_operation.

    can I only write a kernel module without modify the sources in the fs
    to provide the hook function?

    thanks.



    Baumann@Pan


  2. Re: How to monitor Linux file system operations

    On 21 Jun 2006 00:14:40 -0700
    "baumann.Pan@gmail.com" wrote:

    > how Can I hook the linux file system?
    >
    > I want to moniter the operations on a file.
    >
    > I don't know whether the Linux file system provide the capability to
    > hook the file_operation.

    Yes. it's pretty simple. You can simply open a file in your module,
    and replace the "function pointer" filp->f_dentry->d_inode->i_fop->open
    to insert a hook function for open, and The rest may be deduced by
    analogy.

    good luck.
    >
    > can I only write a kernel module without modify the sources in the fs
    > to provide the hook function?
    >
    > thanks.
    >
    >
    >
    > Baumann@Pan
    >


  3. Re: How to monitor Linux file system operations


    albcamus wrote:
    > On 21 Jun 2006 00:14:40 -0700
    > "baumann.Pan@gmail.com" wrote:
    >
    > > how Can I hook the linux file system?
    > >
    > > I want to moniter the operations on a file.
    > >
    > > I don't know whether the Linux file system provide the capability to
    > > hook the file_operation.

    > Yes. it's pretty simple. You can simply open a file in your module,

    open a file? which file you mean?
    > and replace the "function pointer" filp->f_dentry->d_inode->i_fop->open


    do I need to modify the kernel source code? I hope there is a way no
    need to change the kernel source with adding a new kernel module which
    can do the task.

    BTW: I am working on linux kernel 2.6.16.

    > to insert a hook function for open, and The rest may be deduced by
    > analogy.
    >
    > good luck.
    > >
    > > can I only write a kernel module without modify the sources in the fs
    > > to provide the hook function?
    > >
    > > thanks.
    > >
    > >
    > >
    > > Baumann@Pan
    > >



  4. Re: How to monitor Linux file system operations

    It depends on which files you want to monitor.
    You should only write a module if you want to write you own filesystem
    and monitor files inside it. Then you should implement the VFS
    interface, like the one albcamus mentioned.

    However, if you want to monitor files on the root or any other mounted
    filesystem, a module would not help. Instead, as of kernel 2.6.13-rc3
    there is something called Inotify, a tool which fires events as files
    are modified in the filesystem. Data indexing systems like Beagle use
    it.

    U can find inotify here:
    http://www.kernel.org/pub/linux/kern...e/rml/inotify/
    I think you need to recompile the kernel to include it...

    Hope this helped

    Victor Cionca


  5. Re: How to monitor Linux file system operations


    moussevic wrote:
    > It depends on which files you want to monitor.
    > You should only write a module if you want to write you own filesystem
    > and monitor files inside it. Then you should implement the VFS
    > interface, like the one albcamus mentioned.
    >

    I want to moniter all the files accessed by others in the
    linux-2.6.16.19 kernel.
    so I think it's not only my own file system. and I can request others
    only use my file system.

    > However, if you want to monitor files on the root or any other mounted
    > filesystem, a module would not help. Instead, as of kernel 2.6.13-rc3
    > there is something called Inotify, a tool which fires events as files
    > are modified in the filesystem. Data indexing systems like Beagle use
    > it.
    >


    how about to write a netfilter-like code to hanlde the problem?



    > U can find inotify here:
    > http://www.kernel.org/pub/linux/kern...e/rml/inotify/
    > I think you need to recompile the kernel to include it...
    >
    > Hope this helped
    >
    > Victor Cionca



+ Reply to Thread