Date: Thu, 15 Jan 1998 21:07:56 -0800 (PST) From: Sean Eric Fagan <sef@kithrup.com> To: boia01@gel.usherb.ca Cc: hackers@FreeBSD.ORG Subject: Re: procfs: intercept calls? Message-ID: <199801160507.VAA16320@kithrup.com> In-Reply-To: <Pine.BSF.3.95q.980115224236.11844A-100000.kithrup.freebsd.hackers@teel.info-noire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <Pine.BSF.3.95q.980115224236.11844A-100000.kithrup.freebsd.hackers@teel.info-noire.com> you write: >I've just read in a USENIX abstract that it's possible "to intercept >specific system calls" with the /proc filesystem, and service the call >with a user-level program. This depends on the procfs implementation -- there are at least a half-dozen different, largely-incompatible versions that I know of. (I, of course, am responsible for one of them ;).) >Is this feasible on FreeBSD? I've just read the procfs man page a few >times and can't see any mention about this. I suppose that one doesn't >manually overwrite the process' text segment where the syscalls are >made... In freebsd-current, yes, it is possible to intercept system calls. At this point (and, probably forever), it's an all or nothing approach -- you can stop a process on system call entry, or system call exit (or both, of course), but not on any specific system call. (There are several reasons for this. First and foremost is that I did not want to carry around two bitmasks for each process being monitored, as there are lots of possible system calls. Second, given that we support multiple sets of system calls [e.g., native FreeBSD, IBCS2, and Linux], the idea gets more complicated.) The best documentation right now is in the truss program -- /usr/src/usr.bin/truss. i386-fbsd.c deals with the system call entry and exit.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801160507.VAA16320>