Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261265AbUKWOPu (ORCPT ); Tue, 23 Nov 2004 09:15:50 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261255AbUKWOPs (ORCPT ); Tue, 23 Nov 2004 09:15:48 -0500 Received: from ecfrec.frec.bull.fr ([129.183.4.8]:17893 "EHLO ecfrec.frec.bull.fr") by vger.kernel.org with ESMTP id S261265AbUKWOOc (ORCPT ); Tue, 23 Nov 2004 09:14:32 -0500 Subject: Re: [PATCH 2.6.9] fork: add a hook in do_fork() From: Guillaume Thouvenin To: lkml Cc: guillaume.thouvenin@bull.net In-Reply-To: <20041123080643.GD23974@kroah.com> References: <1101189797.6210.53.camel@frecb000711.frec.bull.fr> <20041123080643.GD23974@kroah.com> Date: Tue, 23 Nov 2004 15:14:28 +0100 Message-Id: <1101219268.6210.133.camel@frecb000711.frec.bull.fr> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 X-MIMETrack: Itemize by SMTP Server on ECN002/FR/BULL(Release 5.0.12 |February 13, 2003) at 23/11/2004 15:21:33, Serialize by Router on ECN002/FR/BULL(Release 5.0.12 |February 13, 2003) at 23/11/2004 15:21:35, Serialize complete at 23/11/2004 15:21:35 Content-Transfer-Encoding: 7bit Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2344 Lines: 81 So I tried to implement a solution using LSM hook and I have a strange behavior. Here is the code of the module. It is just to test if I can get the pid of the parent and its new created child. --- fork_hook_module.c [BEGIN] --- #include /* for all modules */ #include /* for KERN_ALERT */ #include /* for the macros */ #include /* for task_struct */ #include /* for LSM hook */ static int elsa_task_alloc_security(struct task_struct *p); struct security_operations elsa_ops = { .task_alloc_security = elsa_task_alloc_security, }; static int elsa_task_alloc_security(struct task_struct *p) { printk(KERN_ALERT "intercept a fork: %d created by %d\n", p->pid, p->parent->pid); return 0; } static int __init fh_init(void) { printk(KERN_ALERT "fh: fork hook added\n"); if (register_security(&elsa_ops)) panic(KERN_ALERT "fh: Unable to register fork hook\n"); return 0; } static void __exit fh_exit(void) { if (unregister_security(&elsa_ops)) printk(KERN_ALERT "fh: Unable to un-register with fork hook\n"); printk(KERN_ALERT "fh: fork hook removed\n"); } module_init(fh_init); module_exit(fh_exit); MODULE_AUTHOR("Guillaume Thouvenin"); MODULE_DESCRIPTION("Fork Hook"); MODULE_LICENSE("GPL"); --- fork_hook_module.c [END] --- When I load the module, the hook is well registered. Now, if I run a command from a shell, like a 'top', the message in the kernel log like indicates a wrong parent ID. Here is the output of the top command: PID PPID USER %CPU CPU COMMAND 2009 2008 guill 0.0 0 bash 2109 2108 guill 0.0 0 bash 2704 2109 guill 0.0 0 top and here is the message found in the kernel log: intercept a fork: 2704 created by 2108 It should be 2109... not 2108 I think that the problem occurs because the security_task_alloc() is called, the field p->parent is not set. Is it true? and if it is, is it possible to move the hook after the initialization of the variable p->parent? Regards, Guillaume - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/