-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add system call "stealing" sample using kprobe handler #260
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merge the proposed changes of file syscall-steal2.c
into syscall-steal.c
so that the content can appear in the book.
Reported by CI:
|
* Alternatively, set USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL to 0 to use the old method. | ||
*/ | ||
#define USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL 1 | ||
#endif | ||
#include <linux/kprobes.h> | ||
#else | ||
#define HAVE_PARAM 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, we need to add the other condition, the system is v5.9+ and x86 arch without kprobe support.
Maybe we can tell the user they are unable to run this example.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe defining USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL to 0 by default is enough because users may turn on this macro if they get stuck when hacking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But the module will be broken if we have such a scenario.
Moreover, the user may be confused about this and start googling your question again.
I would suggest that you provide a more comprehensive explanation or relevant links (e.g., the stack overflow answer you mentioned).
Additionally, in the code, we can print out some warnings about this instead of using the wrong symbol.
examples/syscall-steal.c
Outdated
* after commit 1e3ad78 since v6.9. This commit has been backported to long | ||
* term stable kernels, like v5.15, v6.1, v6.6 and v6.8. In this case, use a | ||
* hook on the syscall entry instead to intercept the syscall. | ||
* For more details, see https://stackoverflow.com/questions/78599971/hooking-syscall-by-modifying-sys-call-table-does-not-work/78607015#78607015. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rationale for using Kprobe on the x86 architecture is informative. Could you move the description out of this file? Specifically, the text should appear in the LaTeX script so that readers can gain a deeper understanding before examining the kernel module source code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Read https://cbea.ms/git-commit/ carefully and squash the git commits.
For x86 architecture, the system call table cannot be used to invoke a system call after commit 1e3ad78[1] since v6.9. This commit has been backported to long term stable kernels, like v5.15.154+, v6.1.85+, v6.6.26+ and v6.8.5+[2]. In this case, thanks to Kprobes, a hook can be used instead on the system call entry to intercept the system call. [1]https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1e3ad78334a69b36e107232e337f9d693dcc9df2 [2]https://stackoverflow.com/a/78607015
Thank @haodongnj for contributing! |
The syscall-steal example does't work on my x84 Laptops with kernel 6.1 on Debian and 5.15 on Ubuntu.
As mentioned in this answer on stack overflow, syscall table is no longer used to invoke system call on x86 arch after this commit, which is backed-ported to many LTS kernel versions. So maybe an extra example without using syscall table can make it easy to understand the situation for beginners like me .