From owner-freebsd-hackers@FreeBSD.ORG  Sun Dec  3 10:08:42 2006
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id C313616A403
	for <freebsd-hackers@freebsd.org>; Sun,  3 Dec 2006 10:08:42 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E635B43CAE
	for <freebsd-hackers@freebsd.org>; Sun,  3 Dec 2006 10:08:15 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id C62FA46D49;
	Sun,  3 Dec 2006 05:08:39 -0500 (EST)
Date: Sun, 3 Dec 2006 10:08:39 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Stanislav Ochotnicky <stanislav.ochotnicky@kmit.sk>
In-Reply-To: <4571AA86.1060303@kmit.sk>
Message-ID: <20061203100714.H40536@fledge.watson.org>
References: <4571AA86.1060303@kmit.sk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-hackers@freebsd.org
Subject: Re: tracing AND intercepting syscalls?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Dec 2006 10:08:42 -0000

On Sat, 2 Dec 2006, Stanislav Ochotnicky wrote:

> trustedbsd's MAC framework: i've read manual, looked at source etc. And I 
> couldn't find a way to stop at every syscall certain process has made. There 
> is mac_syscall() function but as far as I could tell, it only registers new 
> syscall. All in all, it seems that it should have some way to do this, maybe 
> I just couldn't find it.

As discussed elsewhere in the thread, ptrace() has a syscall trapping 
facility, although I've not used it so can't speak to how well it works.

There are patches to add system call entry and exit hooks to the MAC 
Framework, but they've not yet been merged.  I anticipate that they will ship 
in FreeBSD 7.0, and may get MFC'd, depending on schedule, etc.

Robert N M Watson
Computer Laboratory
University of Cambridge