Overriding System Calls - Linux

This is a discussion on Overriding System Calls - Linux ; Hello experts, We are trying to override the system call in Linux. We have downloaded the sample code from this location http://www.faqs.org/docs/kernel/x931.html We are giving gcc -c -O2 -DMODULE -D__KERNEL__ syscall.c -I /lib/modules/2.4.20-8/build/include as a command to compile this source ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Overriding System Calls

  1. Overriding System Calls

    Hello experts,
    We are trying to override the system call in Linux.
    We have downloaded the sample code from this location

    http://www.faqs.org/docs/kernel/x931.html

    We are giving
    gcc -c -O2 -DMODULE -D__KERNEL__ syscall.c -I
    /lib/modules/2.4.20-8/build/include

    as a command to compile this source code.
    It compiles without giving any error.
    But when we insmod this module,it gives just one error as

    [root@localhost root]# insmod syscall.o
    syscall.o: unresolved symbol sys_call_table

    Where are we going wrong?
    Thanks in advance.


  2. Re: Overriding System Calls

    Prafulla T wrote:
    > We are trying to override the system call in Linux.
    > We have downloaded the sample code from this location
    >
    > http://www.faqs.org/docs/kernel/x931.html
    >
    > We are giving
    > gcc -c -O2 -DMODULE -D__KERNEL__ syscall.c -I
    > /lib/modules/2.4.20-8/build/include
    >
    > as a command to compile this source code.
    > It compiles without giving any error.
    > But when we insmod this module,it gives just one error as
    >
    > [root@localhost root]# insmod syscall.o
    > syscall.o: unresolved symbol sys_call_table
    >
    > Where are we going wrong?


    The practice of replacing syscall table entries is frowned upon by
    Linus and the other kernel maintainers -- so much so that the
    sys_call_table symbol is no longer exported. This explains why your
    module can't find it. If you care to know more details, use google to
    find the (many and extensive) discussions about, for and against the
    decision.

    GH


  3. Re: Overriding System Calls

    What should I do now?
    Is is possible at all to do it?

    gil_hamilton@hotmail.com wrote:
    > Prafulla T wrote:
    > > We are trying to override the system call in Linux.
    > > We have downloaded the sample code from this location
    > >
    > > http://www.faqs.org/docs/kernel/x931.html
    > >
    > > We are giving
    > > gcc -c -O2 -DMODULE -D__KERNEL__ syscall.c -I
    > > /lib/modules/2.4.20-8/build/include
    > >
    > > as a command to compile this source code.
    > > It compiles without giving any error.
    > > But when we insmod this module,it gives just one error as
    > >
    > > [root@localhost root]# insmod syscall.o
    > > syscall.o: unresolved symbol sys_call_table
    > >
    > > Where are we going wrong?

    >
    > The practice of replacing syscall table entries is frowned upon by
    > Linus and the other kernel maintainers -- so much so that the
    > sys_call_table symbol is no longer exported. This explains why your
    > module can't find it. If you care to know more details, use google to
    > find the (many and extensive) discussions about, for and against the
    > decision.
    >
    > GH



  4. Re: Overriding System Calls

    Prafulla T wrote:
    > What should I do now?
    > Is is possible at all to do it?


    1. Modify the kernel source to directly include your own system call
    code.

    2. Modify the kernel source to export the sys_call_table symbol. (Of
    course, your modification won't ever make it into the official kernel
    source tree but if you're just trying to learn...)

    3. Figure out how to dynamically locate the sys call table from your
    loadable module. (This is ugly and I don't recommend it, but it
    certainly seems feasible. Hint: where in kernel memory could you find a
    block of 230+ consecutive words, each of which contains a valid kernel
    virtual address?)

    GH


  5. Re: Overriding System Calls


    Prafulla T wrote:

    > What should I do now?
    > Is is possible at all to do it?


    Anything that can be done by intercepting a system call can be done
    another way. What are you trying to do?

    DS


  6. Re: Overriding System Calls

    I am trying to develope recycle bin like thing in Linux.
    For that i need to override unlink sys call!.
    Anyways,It is working now!!


    David Schwartz wrote:
    > Anything that can be done by intercepting a system call can be done
    > another way. What are you trying to do?
    >
    > DS



  7. Re: Overriding System Calls

    I am trying to develope recycle bin like thing in Linux.
    For that i need to override unlink sys call!.
    Anyways,It is working now!!


    David Schwartz wrote:
    > Anything that can be done by intercepting a system call can be done
    > another way. What are you trying to do?
    >
    > DS



  8. Re: Overriding System Calls

    Prafulla T wrote:
    > What should I do now?
    > Is is possible at all to do it?


    You've got the source code to the entire kernel, GCC, and every single
    tool in the chain.

    Thus you can change the behavior of anything you want.

    What do you need, someone to change your diaper and burp you?


  9. Re: Overriding System Calls

    Prafulla T wrote:
    > I am trying to develope recycle bin like thing in Linux.
    > For that i need to override unlink sys call!.


    File links are also dropped in the rename operation, when the target
    name refers to an existing file.


  10. Re: Overriding System Calls


    Prafulla T wrote:

    > I am trying to develope recycle bin like thing in Linux.
    > For that i need to override unlink sys call!.
    > Anyways,It is working now!!


    Don't override the unlink system call. Think through what type of
    interface it would make sense for an in-kernel recycle bin like thing
    to have and add that interface to the Linux kernel. Then use that
    interface to implement your recycle bin.

    DS


  11. Re: Overriding System Calls

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Content reorganized to correct top-posting


    Prafulla T wrote:
    > David Schwartz wrote:
    > > Anything that can be done by intercepting a system call can be done
    > > another way. What are you trying to do?

    [snip]
    > I am trying to develope recycle bin like thing in Linux.


    Hmmm.. The only advantage that I can see of the "recycle bin" approach
    vs a straight "delete" is that the contents of the "recycle bin" can be
    restored. This implies that, within the recycle bin, you somehow track
    the original path to the deleted file, and implement some mechanism for
    selecting between different files with the same path to restore (i.e. I
    edit a text file, and delete the txt~ backup. I edit again and delete
    the 2nd txt~ backup, which shares the same name as the first txt~
    backup. Now I want to restore the 1st txt~ backup file; how do I choose
    it from the recycle bin?)

    The recycle bin approach also implies a further "empty bin" function
    that irreversably completes the delete process.

    Add to this the requirements of properly handling hard and soft links
    (hard links will be harder; how do you restore a file that had multiple
    hard links? Do you overwrite the file (through the other links) that
    /may/ have different contents than the "recycled" file, or do you
    restore to a different name? If a different name is selected, how do
    you select the name?)

    For that matter, the restore will have to accomodate multiple users as
    well, and you don't want user A restoring user B's deleted files from
    the recycle bin, so you may need multiple recycle bins, and some way to
    associate a specific recycle bin to a specific user, both for restore
    and for delete.

    > For that i need to override unlink sys call!.


    My gut feel is that
    a) this is a job better done outside of the kernel, in userspace
    somewhere. It depends too much on userspace variables and interaction
    with the user to be part of the kernel, and
    b) overriding the unlink syscall is the least of your worries if you
    were to implement this in system space. You'll have to come up with
    changes to the link() syscall and the symlink() syscall, and you'll
    have to build several new syscalls to manage and restore from the
    "recycle bin".

    > Anyways,It is working now!!


    Good. Have fun with it. At least it's a learning experience for you

    HTH
    - --
    Lew Pitcher

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12

    iD8DBQFFCVCVagVFX4UWr64RAg2OAJ4pr+dK0iauEICPvKx0Rb sUSKWzPQCgyjB4
    RQeTAkyh2UILqEKa1QlFyYs=
    =2rZW
    -----END PGP SIGNATURE-----


  12. Re: Overriding System Calls

    I use safedelete. Pretty comfortable.

    http://www.boutell.com/lsm/lsmbyid.cgi/001508

    Prafulla T wrote:
    > I am trying to develope recycle bin like thing in Linux.
    > For that i need to override unlink sys call!.
    > Anyways,It is working now!!
    >
    >
    > David Schwartz wrote:
    > > Anything that can be done by intercepting a system call can be done
    > > another way. What are you trying to do?
    > >
    > > DS



+ Reply to Thread