From owner-freebsd-hackers Thu Jan 15 21:08:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA25314 for hackers-outgoing; Thu, 15 Jan 1998 21:08:12 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from kithrup.com (kithrup.com [205.179.156.40]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA25305 for ; Thu, 15 Jan 1998 21:08:05 -0800 (PST) (envelope-from sef@kithrup.com) Received: (from sef@localhost) by kithrup.com (8.8.8/8.8.7) id VAA16320; Thu, 15 Jan 1998 21:07:56 -0800 (PST) (envelope-from sef) Date: Thu, 15 Jan 1998 21:07:56 -0800 (PST) From: Sean Eric Fagan Message-Id: <199801160507.VAA16320@kithrup.com> To: boia01@gel.usherb.ca Reply-To: hackers@FreeBSD.ORG Subject: Re: procfs: intercept calls? In-Reply-To: Organization: Kithrup Enterprises, Ltd. Cc: hackers@FreeBSD.ORG Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk In article you write: >I've just read in a USENIX abstract that it's possible "to intercept >specific system calls" with the /proc filesystem, and service the call >with a user-level program. This depends on the procfs implementation -- there are at least a half-dozen different, largely-incompatible versions that I know of. (I, of course, am responsible for one of them ;).) >Is this feasible on FreeBSD? I've just read the procfs man page a few >times and can't see any mention about this. I suppose that one doesn't >manually overwrite the process' text segment where the syscalls are >made... In freebsd-current, yes, it is possible to intercept system calls. At this point (and, probably forever), it's an all or nothing approach -- you can stop a process on system call entry, or system call exit (or both, of course), but not on any specific system call. (There are several reasons for this. First and foremost is that I did not want to carry around two bitmasks for each process being monitored, as there are lots of possible system calls. Second, given that we support multiple sets of system calls [e.g., native FreeBSD, IBCS2, and Linux], the idea gets more complicated.) The best documentation right now is in the truss program -- /usr/src/usr.bin/truss. i386-fbsd.c deals with the system call entry and exit.