From owner-freebsd-hackers@FreeBSD.ORG  Sat Dec  2 19:48:46 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 5E3F616A40F
	for <freebsd-hackers@freebsd.org>; Sat,  2 Dec 2006 19:48:46 +0000 (UTC)
	(envelope-from kostikbel@gmail.com)
Received: from fw.zoral.com.ua (fw.zoral.com.ua [213.186.206.134])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2710643CA3
	for <freebsd-hackers@freebsd.org>; Sat,  2 Dec 2006 19:48:22 +0000 (GMT)
	(envelope-from kostikbel@gmail.com)
Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua
	[10.1.1.148])
	by fw.zoral.com.ua (8.13.4/8.13.4) with ESMTP id kB2JmfP2099124
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 2 Dec 2006 21:48:41 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1])
	by deviant.kiev.zoral.com.ua (8.13.8/8.13.8) with ESMTP id
	kB2Jmexc064162; Sat, 2 Dec 2006 21:48:40 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
Received: (from kostik@localhost)
	by deviant.kiev.zoral.com.ua (8.13.8/8.13.8/Submit) id kB2JmeMi064161; 
	Sat, 2 Dec 2006 21:48:40 +0200 (EET)
	(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to
	kostikbel@gmail.com using -f
Date: Sat, 2 Dec 2006 21:48:40 +0200
From: Kostik Belousov <kostikbel@gmail.com>
To: Stanislav Ochotnicky <stanislav.ochotnicky@kmit.sk>
Message-ID: <20061202194840.GD35681@deviant.kiev.zoral.com.ua>
References: <4571AA86.1060303@kmit.sk>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="pZs/OQEoSSbxGlYw"
Content-Disposition: inline
In-Reply-To: <4571AA86.1060303@kmit.sk>
User-Agent: Mutt/1.4.2.2i
X-Virus-Scanned: ClamAV version 0.88.4,
	clamav-milter version 0.88.4 on fw.zoral.com.ua
X-Virus-Status: Clean
X-Spam-Status: No, score=1.4 required=5.0 tests=SPF_NEUTRAL, UNPARSEABLE_RELAY 
	autolearn=no version=3.1.4
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on fw.zoral.com.ua
Cc: freebsd-hackers@freebsd.org
Subject: Re: tracing AND intercepting syscalls?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Dec 2006 19:48:46 -0000


--pZs/OQEoSSbxGlYw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Dec 02, 2006 at 05:32:06PM +0100, Stanislav Ochotnicky wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>=20
> Hi
>=20
> I'm doing some research concerning tracing and intercepting of syscalls.
> Ideally this would be done in userspace. It doesn't have to be
> system-wide. It would be enough if I could fork/exec new process, and
> somehow be noticed every time it makes syscall, with ability to alter
> arguments/return values. I (more or less) need similar interface like
> linux ptrace when called with PTRACE_SYSCALL. systrace utility does the
> same thing in OpenBSD/linux. I've been through some mailing lists and
> their archives, read FreeBSD developers guide,TrustedBSD's MAC framework
> intro, man pages, asked on IRC and god knows what else and couldn't find
> a solution. Here's what I have found out so far about interfaces that
> resemble what I need:
>=20
> ptrace: unable to trace syscalls, only singlestep, this would be too
> slow imho, not mentioning problems with identifying syscalls.
>=20
Did you look at PT_SYSCALL, PT_TO_SCE and PT_TO_SCX ptrace(2) facilities ?

> /proc interface: more or less like ptrace, better with modifying memory
> of process etc. but also unable to trace syscalls
Read the man pages and code of the truss(1) and strace(1) utilities.
Truss is available in base system, strace is in the ports.

>=20
> ktrace: almost there, able to trace syscalls, but it only writes them to
> file, and thus i cannot intercept them.
>=20
> trustedbsd's MAC framework: i've read manual, looked at source etc. And
> I couldn't find a way to stop at every syscall certain process has made.
> There is mac_syscall() function but as far as I could tell, it only
> registers new syscall. All in all, it seems that it should have some way
> to do this, maybe I just couldn't find it.
>=20
> If kernel module/change is needed I would appreciate push in right
> direction.

--pZs/OQEoSSbxGlYw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFFcdiXC3+MBN1Mb4gRAkAMAJ93SvYCHPbI4WJCna8WhsAdZ0If8wCfabyR
eDaE3BrA1QqJeR91Ot19fkE=
=tdbZ
-----END PGP SIGNATURE-----

--pZs/OQEoSSbxGlYw--