Subject: Kernel hook for open

Hi, guys!

I wish to know if there is something like a kernel hook for open function.
I want to monitor a file (someting like watchdog on Solaris) and to read
from my own process (module?) and from the file.

I tried with LD_SO_PRELOAD but it haven't any effect on the so libraries.
For example:
If I use function getpwent (that is in a so library) and my home
made .so library that overwrite "open" function and is in
/etc/ld.so.preload file it doesn't work.
Of course, if I use open ("/etc/hosts") the so library execute my
function.

If it doesn't exist will be nice to have something like this.

Thanks in advance!

---
Catalin(ux) BOIE
[email protected]
A new Linux distribution: http://l13plus.deuroconsult.ro
http://www2.deuroconsult.ro/~catab


2000-11-06 14:57:31

by Erik Mouw

[permalink] [raw]
Subject: Re: Kernel hook for open

On Mon, Nov 06, 2000 at 03:55:41PM +0200, Catalin BOIE wrote:
> I wish to know if there is something like a kernel hook for open function.
> I want to monitor a file (someting like watchdog on Solaris) and to read
> from my own process (module?) and from the file.

I don't know what watchdog is, but maybe strace is what you want (man
strace for more info).

> I tried with LD_SO_PRELOAD but it haven't any effect on the so libraries.
> For example:
> If I use function getpwent (that is in a so library) and my home
> made .so library that overwrite "open" function and is in
> /etc/ld.so.preload file it doesn't work.
> Of course, if I use open ("/etc/hosts") the so library execute my
> function.

Use LD_PRELOAD instead.


Erik

--
J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department
of Electrical Engineering, Faculty of Information Technology and Systems,
Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands
Phone: +31-15-2783635 Fax: +31-15-2781843 Email: [email protected]
WWW: http://www-ict.its.tudelft.nl/~erik/

2000-11-06 15:12:14

by Michael Vines

[permalink] [raw]
Subject: Re: Kernel hook for open

On Mon, 6 Nov 2000, Erik Mouw wrote:

> On Mon, Nov 06, 2000 at 03:55:41PM +0200, Catalin BOIE wrote:
> > I wish to know if there is something like a kernel hook for open function.
> > I want to monitor a file (someting like watchdog on Solaris) and to read
> > from my own process (module?) and from the file.
>
> I don't know what watchdog is, but maybe strace is what you want (man
> strace for more info).
>
> > I tried with LD_SO_PRELOAD but it haven't any effect on the so libraries.
> > For example:
> > If I use function getpwent (that is in a so library) and my home
> > made .so library that overwrite "open" function and is in
> > /etc/ld.so.preload file it doesn't work.
> > Of course, if I use open ("/etc/hosts") the so library execute my
> > function.
>
> Use LD_PRELOAD instead.

You could also write a simple kernel module that replaces the open system
call. See the Linux Kernel Module Programming Guide for details.
http://www.linuxdoc.org/guides.html

specifically http://www.linuxdoc.org/LDP/lkmpg/node20.html

Michael


2000-11-06 17:21:54

by Erik Mouw

[permalink] [raw]
Subject: Re: Kernel hook for open

On Mon, Nov 06, 2000 at 10:11:11AM -0500, Michael Vines wrote:
> On Mon, 6 Nov 2000, Erik Mouw wrote:
> > Use LD_PRELOAD instead.
>
> You could also write a simple kernel module that replaces the open system
> call. See the Linux Kernel Module Programming Guide for details.
> http://www.linuxdoc.org/guides.html
>
> specifically http://www.linuxdoc.org/LDP/lkmpg/node20.html

Why difficult when it can be done easy? To test the Y2K readiness of
some programs (yeah, Y2K, remember?), I wrote a small library that
overloaded the time() and gettimeofday() syscalls in about 100 lines of
code. No kernel modules needed, no root privileges needed, just set the
environment variable LD_PRELOAD and off you go.


Erik

--
J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department
of Electrical Engineering, Faculty of Information Technology and Systems,
Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands
Phone: +31-15-2783635 Fax: +31-15-2781843 Email: [email protected]
WWW: http://www-ict.its.tudelft.nl/~erik/

2000-11-06 17:41:16

by Michael Vines

[permalink] [raw]
Subject: Re: Kernel hook for open

On Mon, 6 Nov 2000, Erik Mouw wrote:

> On Mon, Nov 06, 2000 at 10:11:11AM -0500, Michael Vines wrote:
> > On Mon, 6 Nov 2000, Erik Mouw wrote:
> > > Use LD_PRELOAD instead.
> >
> > You could also write a simple kernel module that replaces the open system
> > call. See the Linux Kernel Module Programming Guide for details.
> > http://www.linuxdoc.org/guides.html
> >
> > specifically http://www.linuxdoc.org/LDP/lkmpg/node20.html
>
> Why difficult when it can be done easy? To test the Y2K readiness of
> some programs (yeah, Y2K, remember?), I wrote a small library that
> overloaded the time() and gettimeofday() syscalls in about 100 lines of
> code. No kernel modules needed, no root privileges needed, just set the
> environment variable LD_PRELOAD and off you go.

Well the question was posted to the kernel mailing list and not the glibc
mailing list after all :)

Michael

Subject: Re: Kernel hook for open

On Mon, 6 Nov 2000, Erik Mouw wrote:

> On Mon, Nov 06, 2000 at 10:11:11AM -0500, Michael Vines wrote:
> > On Mon, 6 Nov 2000, Erik Mouw wrote:
> > > Use LD_PRELOAD instead.
> >
> > You could also write a simple kernel module that replaces the open system
> > call. See the Linux Kernel Module Programming Guide for details.
> > http://www.linuxdoc.org/guides.html
> >
> > specifically http://www.linuxdoc.org/LDP/lkmpg/node20.html
>
> Why difficult when it can be done easy? To test the Y2K readiness of
> some programs (yeah, Y2K, remember?), I wrote a small library that
> overloaded the time() and gettimeofday() syscalls in about 100 lines of
> code. No kernel modules needed, no root privileges needed, just set the
> environment variable LD_PRELOAD and off you go.

I did this but it doesn't catch the getpwent (that use open)!
On strace it apears but my function is not called (I think it's called the
one from the library).

>
>
> Erik
>
> --
> J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department
> of Electrical Engineering, Faculty of Information Technology and Systems,
> Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands
> Phone: +31-15-2783635 Fax: +31-15-2781843 Email: [email protected]
> WWW: http://www-ict.its.tudelft.nl/~erik/
>

---
Catalin(ux) BOIE
[email protected]
A new Linux distribution: http://l13plus.deuroconsult.ro
http://www2.deuroconsult.ro/~catab

Subject: Re: Kernel hook for open

On Mon, 6 Nov 2000, Michael Vines wrote:

> On Mon, 6 Nov 2000, Erik Mouw wrote:
>
> > On Mon, Nov 06, 2000 at 10:11:11AM -0500, Michael Vines wrote:
> > > On Mon, 6 Nov 2000, Erik Mouw wrote:
> > > > Use LD_PRELOAD instead.
> > >
> > > You could also write a simple kernel module that replaces the open system
> > > call. See the Linux Kernel Module Programming Guide for details.
> > > http://www.linuxdoc.org/guides.html
> > >
> > > specifically http://www.linuxdoc.org/LDP/lkmpg/node20.html
> >
> > Why difficult when it can be done easy? To test the Y2K readiness of
> > some programs (yeah, Y2K, remember?), I wrote a small library that
> > overloaded the time() and gettimeofday() syscalls in about 100 lines of
> > code. No kernel modules needed, no root privileges needed, just set the
> > environment variable LD_PRELOAD and off you go.
>
> Well the question was posted to the kernel mailing list and not the glibc
> mailing list after all :)
>
> Michael
>

Yes, you are right. It was my fault. I should have send my mail to both
kernel and glibc list.

I just want to intercept open call. That's all. I don't care much if I
must do a kernel module or I use PRELOAD. Probably is better to use
LD_PRELOAD.

Thank you all for your kindly help! You are great! All of you! Thanks!

---
Catalin(ux) BOIE
[email protected]sult.ro
A new Linux distribution: http://l13plus.deuroconsult.ro
http://www2.deuroconsult.ro/~catab

2000-11-07 11:06:49

by Tigran Aivazian

[permalink] [raw]
Subject: Re: Kernel hook for open

On Mon, 6 Nov 2000, Erik Mouw wrote:

> On Mon, Nov 06, 2000 at 10:11:11AM -0500, Michael Vines wrote:
> > On Mon, 6 Nov 2000, Erik Mouw wrote:
> > > Use LD_PRELOAD instead.
> >
> > You could also write a simple kernel module that replaces the open system
> > call. See the Linux Kernel Module Programming Guide for details.
> > http://www.linuxdoc.org/guides.html
> >
> > specifically http://www.linuxdoc.org/LDP/lkmpg/node20.html
>
> Why difficult when it can be done easy? To test the Y2K readiness of
> some programs (yeah, Y2K, remember?), I wrote a small library that
> overloaded the time() and gettimeofday() syscalls in about 100 lines of
> code. No kernel modules needed, no root privileges needed, just set the
> environment variable LD_PRELOAD and off you go.

To test Y2k readiness of programs one simply can use my timetravel kernel
module. No, doing things in userspace is far more complex and less
reliable and also simply not good enough (because doesn't cover the case
of statically-linked binaries):

http://www.ocston.org/~tigran/tt/tt.html

Regards,
Tigran

2000-11-07 11:09:50

by Tigran Aivazian

[permalink] [raw]
Subject: Re: Kernel hook for open

On Tue, 7 Nov 2000, Tigran Aivazian wrote:
> To test Y2k readiness of programs one simply can use my timetravel kernel
> module. No, doing things in userspace is far more complex and less
> reliable and also simply not good enough (because doesn't cover the case
~~~~~~~~

yes, yes, I am aware of the infamous "race in rmmod in blocked syscalls
replaced by a module" problem. But now that y2k is long gone why should I
fix it? :) (it is trivial to fix with MOD_INC/DEC_USE_COUNT anyway).


> of statically-linked binaries):
>
> http://www.ocston.org/~tigran/tt/tt.html
>
> Regards,
> Tigran
>
>