拦截文件系统系统调用 [英] intercepting file system system calls

问题描述

我正在写一个应用程序，我需要拦截一些文件系统的系统调用，例如。断开链接。我想保存一些文件说abc。如果用户删除该文件，那么我需要将其复制到其他地方。所以我需要取消链接来删除abc之前调用我的代码，以便我可以保存它。我已经通过拦截系统调用相关的线程，但LD_PRELOAD方法不会在我的情况下工作，因为我想这是安全的，并在内核中实现，所以这种方法不会有用。在事件之后通知inotify，所以我不能保存它。你能提出任何这样的方法。我想在一个内核模块中实现而不是修改内核代码本身。
Graham Lee提出的另一种方法，我曾想过这种方法，但它有一些问题，我需要所有文件的硬链接镜像，它消耗没有空间，但仍然可能有问题，因为我不得不反复驱动器保持我的镜像最新，也不会工作交叉分区和分区不支持链接，所以我想要一个解决方案，我可以挂钩到文件/目录，然后观察变化，而不是反复扫描。
我也想添加支持修改的文件，我不能使用硬链接的写。
我想拦截系统调用通过替换系统调用，但我一直没有找到任何方法在linux> 3.0中做到这一点。请提供一些方法来解决这个问题。

解决方案

至于挂钩内核和拦截系统调用，我写了一个安全模块：

https： //github.com/cormander/tpe-lkm

查看代码中的hijacks.c和symbols.c;它们如何使用在security.c中的 hijack_syscalls 函数中。我还没有在linux> 3.0上试过这个，但是相同的基本概念仍然可以工作。

这有点棘手，你可能不得不写一个很好的交易的内核代码在unlink之前做文件拷贝，但是这里可能是这样。

I am writing an application for which I need to intercept some filesystem system calls eg. unlink. I would like to save some file say abc. If user deletes the file then I need to copy it to some other place. So I need unlink to call my code before deleting abc so that I could save it. I have gone through threads related to intercepting system calls but methods like LD_PRELOAD it wont work in my case because I want this to be secure and implemented in kernel so this method wont be useful. inotify notifies after the event so I could not be able to save it. Could you suggest any such method. I would like to implement this in a kernel module instead of modifying kernel code itself. Another method as suggested by Graham Lee, I had thought of this method but it has some problems ,I need hardlink mirror of all the files it consumes no space but still could be problematic as I have to repeatedly mirror drive to keep my mirror up to date, also it won't work cross partition and on partition not supporting link so I want a solution through which I could attach hooks to the files/directories and then watch for changes instead of repeated scanning. I would also like to add support for write of modified file for which I cannot use hard links. I would like to intercept system calls by replacing system calls but I have not been able to find any method of doing that in linux > 3.0. Please suggest some method of doing that.

解决方案

As far as hooking into the kernel and intercepting system calls go, this is something I do in a security module I wrote:

https://github.com/cormander/tpe-lkm

Look at hijacks.c and symbols.c for the code; how they're used is in the hijack_syscalls function inside security.c. I haven't tried this on linux > 3.0 yet, but the same basic concept should still work.

It's a bit tricky, and you may have to write a good deal of kernel code to do the file copy before the unlink, but it's possible here.

这篇关于拦截文件系统系统调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！