Is there a nice way to trap on file open() and stat() ?
That way i could have nice file statistics.
Magnus
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Programmer/Networker [|] Magnus Naeslund
PGP Key: http://www.genline.nu/mag_pgp.txt
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
On Sat, 11 Nov 2000, Magnus Naeslund(b) wrote:
> Is there a nice way to trap on file open() and stat() ?
> That way i could have nice file statistics.
There was a thread about this a couple days ago.
http://x52.deja.com/threadmsg_ct.xp?AN=690272012.1&mhitnum=0&CONTEXT=973965178.1986985995
Michael
It seems that no one on that thread thought about using the Linux Trace
Toolkit which would allow you to do exactly what is asked for. Plus,
there's a basic hooking mechanism than enables you to hook onto any
file-system events and then do what you want with that.
In the case of trapping open() or stat() you'd only need to:
1) Patch the kernel with the LTT patch
2) Write a kernel module that uses the hooking interface to hook
onto system call entries and filter those out as needed. Moreover,
you could also hook onto file-system events which would give you
greater detail about the file-system related system calls occurring.
Eventually, I'd like to see item #1 disappear and the tracing patches
admitted part of the kernel tree. Other OSes have had such a capability
for a very long time. This, by itself, doesn't justify including it,
but it certainly does go to show usefulness. Moreover, Alan has suggested
that this might be a good way to implement C2 security into the kernel
since all system entries are monitored.
That said, here's an example module that could be a basis for trapping
open() and stat(). Although, it could be used to monitor other events:
#define MODULE
#include <linux/module.h>
#include <linux/trace.h>
int my_callback(uint8_t pmEventID,
void* pmStruct)
{
trace_syscall_entry* syscall_event = (trace_syscall_entry*) pmStruct;
printk("System call %d occured at address 0x%08X \n",
syscall_event->syscall_id,
syscall_event->address);
}
int init_module(void)
{
printk("callback initialized \n");
trace_register_callback(&my_callback,
TRACE_EV_SYSCALL_ENTRY);
return 0;
}
void cleanup_module(void)
{
trace_unregister_callback(&my_callback,
TRACE_EV_SYSCALL_ENTRY);
}
The only "problem" here being that you can't specify "open" or "stat" as
strings, but as their respective system call ID as seen in arch/i386/entry.S
for the i386. Note the patches available now include support for the PowerPC.
If anyone is interested in adding support for other architectures, feel
free to dig in.
You can find LTT and all relevant patches at: http://www.opersys.com/LTT
Best regards
Karim
Michael Vines wrote:
>
> On Sat, 11 Nov 2000, Magnus Naeslund(b) wrote:
>
> > Is there a nice way to trap on file open() and stat() ?
> > That way i could have nice file statistics.
>
> There was a thread about this a couple days ago.
>
> http://x52.deja.com/threadmsg_ct.xp?AN=690272012.1&mhitnum=0&CONTEXT=973965178.1986985995
>
> Michael
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> Please read the FAQ at http://www.tux.org/lkml/
--
===================================================
Karim Yaghmour
[email protected]
Operating System Consultant
(Linux kernel, real-time and distributed systems)
===================================================
> Is there a nice way to trap on file open() and
stat() ?
a few months ago, I helped a friend in writing a
generic syscall wrapper because he needed exactly
this.
You should take a look at the section "overloader" on
http://bdolez.free.fr/
Regards,
willy
___________________________________________________________
Do You Yahoo!? -- Pour dialoguer en direct avec vos amis,
Yahoo! Messenger : http://fr.messenger.yahoo.com
On Sat, 11 Nov 2000, Magnus Naeslund(b) wrote:
> Is there a nice way to trap on file open() and stat() ?
> That way i could have nice file statistics.
Look for a kernel module that replace the open syscall.
I don't have an url right now but search for my name in the lk archives.
I put a question like this.
>
> Magnus
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Programmer/Networker [|] Magnus Naeslund
> PGP Key: http://www.genline.nu/mag_pgp.txt
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> Please read the FAQ at http://www.tux.org/lkml/
>
---
Catalin(ux) BOIE
[email protected]
A new Linux distribution: http://l13plus.deuroconsult.ro
http://www2.deuroconsult.ro/~catab