拦截文件系统系统调用 [英] intercepting file system system calls
问题描述
Graham Lee提出的另一种方法,我曾想过这种方法,但它有一些问题,我需要所有文件的硬链接镜像,它消耗没有空间,但仍然可能有问题,因为我不得不反复驱动器保持我的镜像最新,也不会工作交叉分区和分区不支持链接,所以我想要一个解决方案,我可以挂钩到文件/目录,然后观察变化,而不是反复扫描。
我也想添加支持修改的文件,我不能使用硬链接的写。
我想拦截系统调用通过替换系统调用,但我一直没有找到任何方法在linux> 3.0中做到这一点。请提供一些方法来解决这个问题。
至于挂钩内核和拦截系统调用,我写了一个安全模块:
https: //github.com/cormander/tpe-lkm
查看代码中的hijacks.c和symbols.c;它们如何使用在security.c中的 hijack_syscalls
函数中。我还没有在linux> 3.0上试过这个,但是相同的基本概念仍然可以工作。
这有点棘手,你可能不得不写一个很好的交易的内核代码在unlink之前做文件拷贝,但是这里可能是这样。
I am writing an application for which I need to intercept some filesystem system calls eg. unlink. I would like to save some file say abc. If user deletes the file then I need to copy it to some other place. So I need unlink to call my code before deleting abc so that I could save it. I have gone through threads related to intercepting system calls but methods like LD_PRELOAD it wont work in my case because I want this to be secure and implemented in kernel so this method wont be useful. inotify notifies after the event so I could not be able to save it. Could you suggest any such method. I would like to implement this in a kernel module instead of modifying kernel code itself. Another method as suggested by Graham Lee, I had thought of this method but it has some problems ,I need hardlink mirror of all the files it consumes no space but still could be problematic as I have to repeatedly mirror drive to keep my mirror up to date, also it won't work cross partition and on partition not supporting link so I want a solution through which I could attach hooks to the files/directories and then watch for changes instead of repeated scanning. I would also like to add support for write of modified file for which I cannot use hard links. I would like to intercept system calls by replacing system calls but I have not been able to find any method of doing that in linux > 3.0. Please suggest some method of doing that.
As far as hooking into the kernel and intercepting system calls go, this is something I do in a security module I wrote:
https://github.com/cormander/tpe-lkm
Look at hijacks.c and symbols.c for the code; how they're used is in the hijack_syscalls
function inside security.c. I haven't tried this on linux > 3.0 yet, but the same basic concept should still work.
It's a bit tricky, and you may have to write a good deal of kernel code to do the file copy before the unlink, but it's possible here.
这篇关于拦截文件系统系统调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!