From owner-freebsd-hackers  Fri Oct 18 11:27:10 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D846937B401
	for <hackers@freebsd.org>; Fri, 18 Oct 2002 11:27:08 -0700 (PDT)
Received: from milla.ask33.net (milla.ask33.net [217.197.166.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1C7BE43EB1
	for <hackers@freebsd.org>; Fri, 18 Oct 2002 11:27:08 -0700 (PDT)
	(envelope-from nick@milla.ask33.net)
Received: by milla.ask33.net (Postfix, from userid 1001)
	id 20FE23ABB65; Fri, 18 Oct 2002 20:29:51 +0200 (CEST)
Date: Fri, 18 Oct 2002 20:29:50 +0200
From: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
To: Ramkumar Chinchani <rc27@cse.Buffalo.EDU>
Cc: hackers@freebsd.org
Subject: Re: tracing exec system call
Message-ID: <20021018182950.GQ80034@garage.freebsd.pl>
References: <200210172213.g9HMDO423357@pollux.cse.buffalo.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="cW0eHRJ76X8TDo3d"
Content-Disposition: inline
In-Reply-To: <200210172213.g9HMDO423357@pollux.cse.buffalo.edu>
X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc
X-OS: FreeBSD 4.6-STABLE i386
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


--cW0eHRJ76X8TDo3d
Content-Type: text/plain; charset=iso-8859-2
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 17, 2002 at 06:13:24PM -0400, Ramkumar Chinchani wrote:
+>=20
+> What would be the best way to *capture* the execv system call at its ent=
ry point
+> from user space? ptrace()?
+>=20
+> What would be a good way to inspect the command line args to execv *afte=
r* the
+> path, etc., has been resolved?=20
+>=20
+> This is useful if one wants to monitor a process and all the system call=
s it makes and then disallow a few of them if suspicious.

Take a look at:

	http://cerber.sourceforge.net

If You want monitor only execve(), then rexec project should be enough.

--=20
Pawel Jakub Dawidek
UNIX Systems Administrator
http://garage.freebsd.pl
Am I Evil? Yes, I Am.

--cW0eHRJ76X8TDo3d
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPbBTHj/PhmMH/Mf1AQFNuAP+KxApEyEmVotEBR94CVKKdYtgrCscUK7M
kQkoM8zvBB85GnK3LCGweTUd9KTx9MFdTDsXtdR7nhF+o92Jp0Y0UZmuOCWx/jqC
bRj8TTC2WphXlhf3Gtr4HhAn5BZCY3fnxPA56vvOByoaxTdeqRF1+0SJ6BkvIeUn
bg2ItnDx15k=
=nZ5z
-----END PGP SIGNATURE-----

--cW0eHRJ76X8TDo3d--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message