Syscall hijacking

To trace file access and get a boot profile, I've chosen to hijack sys_open and/or sys_read system calls.

Doing it using LD_PRELOAD (like esddsp and artsdsp do) isn't enough, since it won't work for programs that don't use the libc.

I could have used LSM (Linux Security Modules) or the Linux audit subsystem, but none of them felt convenient to me.

So, I did it the hijacking way, overridding system calls.

sys_call_table symbol

Starting from kernel 2.6 serie, the sys_call_table symbol isn't exported anymore. Sebek and gnome-startup looked for it in a precise memory section, but the sys_call_table symbol isn't located anymore between the loops_per_jiffy and boot_cpu_data variables in our 2.6.16 compiled vmlinuz.

A solution is to look for sys_call_table in the whole data section (between init_mm.end_code and init_mm.end_data), see a System calls replacement article.

Logging, using debugfs

sysfs doesn't support seq_file, which basically allows to map data structures to file lines (heavily used in /proc). So, I've used debugfs to make my boot profile readable in /debug (needs to mount -t debugs none /debug).

The file list is stored in memory using the kernel doubly linked list implementation (which I was already familiar with, using it for mandi in userspace /o\), and protected using kernel mutexes.

Links

• The Virtual File System (VFS), from The Linux Kernel book
• The Linux Virtual File System
• Virtual file system on Wikipedia
• Inodes and Operations