3

I'm using a kernel module to hook system calls like sys_read(), sys_write() and so on. The way I'm hooking it is pretty much like this post.

Now I want to hook sys_clone() in the same way. What I can find from the source code is as follows.

long sys_clone(unsigned long, unsigned long, int __user *, int, int __user*)

First I have no idea of what those parameters mean. I tried to printk them to see. However, even when I tested with a program invoking plenty of clone() system call, I didn't see any printings from my_sys_clone(). Is that because the clone() didn't request for sys_clone() I hooked at all? Or are there any special cases for hooking a sys_clone()?

Community
  • 1
  • 1
Grace Sun
  • 31
  • 1
  • 5
  • 1
    According to man clone (http://linux.die.net/man/2/clone) `clone()` actually calls `sys_clone`. That function is defined in `kernel/fork.c` using `SYSCALL_DEFINE5(clone)`, and just calls `do_fork()`, so you can extract parameters meaning from it. – Tsyvarev Jul 28 '15 at 12:10
  • @Tsyvarev Thanks a lot. I've read the parameters in SYSCALL_DEFINE5(clone). It's very helpful. But how does it go from sys_clone to SYSCALL_DEFINE5(clone)? Any interfaces? – Grace Sun Jul 28 '15 at 18:09
  • `SYSCALL_DEFINE5(clone)` is actually an implementation of `sys_clone` function. As for inability to hook system call, check that you attempt to hook exactly that `clone`, which is defined as syscal: as you can see from `kernel/fork.c`, there are several compatible versions of clone, dependent of kernel's configuration. – Tsyvarev Jul 28 '15 at 18:27
  • @Tsyvarev It worked! So system calls like fork() and clone() can only be hooked through changing source code? Where can i see that SYSCALL_DEFINE5(clone)is the definition of sys_clone()? – Grace Sun Jul 30 '15 at 16:49

0 Answers0