From owner-freebsd-hackers@FreeBSD.ORG Sun Dec 3 00:36:41 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D4A3716A403 for ; Sun, 3 Dec 2006 00:36:41 +0000 (UTC) (envelope-from stanislav.ochotnicky@kmit.sk) Received: from alibaba.kmit.sk (alibaba.kmit.sk [194.160.28.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8139F43CB7 for ; Sun, 3 Dec 2006 00:36:15 +0000 (GMT) (envelope-from stanislav.ochotnicky@kmit.sk) Received: from localhost (localhost.localdomain [127.0.0.1]) by alibaba.kmit.sk (Postfix) with ESMTP id 4FA8B7F94 for ; Sun, 3 Dec 2006 01:36:37 +0100 (CET) Received: from [10.10.0.6] (gw.kmit.sk [194.160.28.62]) by alibaba.kmit.sk (Postfix) with ESMTP id 84A8F7F84 for ; Sun, 3 Dec 2006 01:36:35 +0100 (CET) Message-ID: <45721C0D.2000101@kmit.sk> Date: Sun, 03 Dec 2006 01:36:29 +0100 From: Stanislav Ochotnicky MIME-Version: 1.0 To: freebsd-hackers@freebsd.org References: <4571AA86.1060303@kmit.sk> <20061202194840.GD35681@deviant.kiev.zoral.com.ua> In-Reply-To: <20061202194840.GD35681@deviant.kiev.zoral.com.ua> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Subject: Re: tracing AND intercepting syscalls? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Dec 2006 00:36:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kostik Belousov wrote: > On Sat, Dec 02, 2006 at 05:32:06PM +0100, Stanislav Ochotnicky wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Hi >> >> I'm doing some research concerning tracing and intercepting of syscalls. >> Ideally this would be done in userspace. It doesn't have to be >> system-wide. It would be enough if I could fork/exec new process, and >> somehow be noticed every time it makes syscall, with ability to alter >> arguments/return values. I (more or less) need similar interface like >> linux ptrace when called with PTRACE_SYSCALL. systrace utility does the >> same thing in OpenBSD/linux. I've been through some mailing lists and >> their archives, read FreeBSD developers guide,TrustedBSD's MAC framework >> intro, man pages, asked on IRC and god knows what else and couldn't find >> a solution. Here's what I have found out so far about interfaces that >> resemble what I need: >> >> ptrace: unable to trace syscalls, only singlestep, this would be too >> slow imho, not mentioning problems with identifying syscalls. >> > Did you look at PT_SYSCALL, PT_TO_SCE and PT_TO_SCX ptrace(2) facilities ? Cant believe I missed them, although they are not in man page of ptrace. At least on my FreeBSD 6.1. Citing from http://www.freebsd.org/projects/ideas/ "Someone needs to finish the support for PT_SYSCALL in the ptrace() subsystem, and add support for another ptrace() command that will replace the PIOCWAIT and PIOCSTATUS ioctls of procfs (should probably be named PT_WAIT), in order for truss(1) to be able to work without procfs(5). Removing the procfs(5) dependency from ps -e is also desirable." But I'll have a look. >> /proc interface: more or less like ptrace, better with modifying memory >> of process etc. but also unable to trace syscalls > Read the man pages and code of the truss(1) and strace(1) utilities. > Truss is available in base system, strace is in the ports. > Truss is a no way because it can't intercept syscalls. But I really don't understand how I could miss strace, since it's available also on other OSes. Will definitely look into it. Since it's done in userspace, there has to be a way(even if it would be obscure), for me to do the same.Maybe it uses mentioned PT_SYSCALL or such. Anyway this will be enough for me to start. Thanks a lot. >> ktrace: almost there, able to trace syscalls, but it only writes them to >> file, and thus i cannot intercept them. >> >> trustedbsd's MAC framework: i've read manual, looked at source etc. And >> I couldn't find a way to stop at every syscall certain process has made. >> There is mac_syscall() function but as far as I could tell, it only >> registers new syscall. All in all, it seems that it should have some way >> to do this, maybe I just couldn't find it. >> >> If kernel module/change is needed I would appreciate push in right >> direction. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFchwNul7h5FTXf/MRCPkUAJ9gSCjlHd0NFY76p4/eWq+OMoXHEgCeNVAZ AutEBjcAdcvswiYHEC9CdhM= =OWZG -----END PGP SIGNATURE-----