ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi every body,
I'm developping an application that acts like a firewall with several
modules.
One of these modules should detect new processes, block them and inform the user who will accept or deny the new process. An appropriate signal is then sent to the process (SIGKILL or SIGCONT).
The problem is how to detect these new processes?
I've crated a program that reads the /proc directory when the application is just run, saves the actual processes in a table and then loops forever doing the folowing steps:
read /proc and get a list of actual processes;
compare this list with that caught in the beginning;
if there is more processes, read both lists and catch the new one
inform the user
get answer and act accordingly
update process list
the code for reading actual processes looks like this:
int proc_list[];
struct dirent *ent ;
DIR *proc ;
int i = 0 ;
proc = opendir ("/proc") ;
while (ent = readdir (proc))
if (isdigit (ent->d_name))
{
proc_list[i] = atoi(ent->dname);
i++;
}
close (proc) ;
Detecting processes this way works, but repeating in infinitely is resources consuming.
So, please does any body have another idea of how to do this resources friendly?
I do believe you'll have to hack the kernel. Maybe make a modification to the clone() routine to have it send a signal to a specified kernel module, then write that kernel module. Your firewall probably needs a kernel component anyway, doesn't it?
Hi everybody,
Yes, my firewall needs a kernel module. But when trying to implement this module, I got some surprises. The idea is the following.
We know that all processes are created by a call to the a function from the exec() family. These functions call, somehow, the execve() system call. So, the solution would be to hack the execve() syscall so that it informs me about the new process creation. The problem is that when I implement this module, compile it and run it, all what I get is a system freeze! The running processes keep running but for new ones I get a “process stopped” message. Note that when I hack another syscall, let’s say sys_chdir, it works fine and I get informed about all directory changes.
I googled for an answer and learned that the execve() is a special syscall since it can’t be delegated.
So I tried another solution. I hacked the sys_mkdir so that I get informed about all directories created in the /proc (because for each new process, the system created a separate directory in /proc with the pid of that process as directory name). The result, I get informed about all directories creation except those created in /proc!
Here is the code I used to hack the sys_mkdir:
/* this function will store the original mkdir function */
asmlinkage int ( *original_sys_call )( const char *, int );
/*this is the hackes function */
asmlinkage int custom_sys_call( char *path, int m )
{
printk( KERN_INFO "'%s': directory created in (%s)\n", MODULE_NAME, path );
/* Call the original system call to maintain functionality */
return original_sys_call( path, m );
}
int init_module()
{
/* Store reference to the original system call */
original_sys_call = sys_call_table[ __NR_mkdir ];
/* Manipulate sys_call_table to call custom_sys_call instead of original_sys_call */
sys_call_table[ __NR_mkdir ] = custom_sys_call;
return 0;
}
/* This function is called when the module is unloaded */
void cleanup_module()
{
So, my questions are:
1. Is there any method to get the execve() system call delegated?
2. Since the mkdir doesn’t inform me about directories created in /proc, I guess the system uses some other system call to create these directories. Can anyone help me please to catch this system call?
Thanks.
We know that all processes are created by a call to the a function from the exec() family.
Um, I know nothing about hacking the kernel except that you're going to have to do that.
But I would submit that processes are created not as a result of a call from the exec() family, but as a result of a fork() or vfork() call. You might still have to focus on the exec() style calls, but I'm just sayin'.
Thanks wje_lq,
Yes, I think I didn't express it as it should be. Processes are created by calling the fork() or vfork() function that will create an exact copy of the caller process. This exact copy is replaced by the new process image when calling the exec() function.
I tried to catch the fork() and vfork() but I get nothing intersting. I create as much processes as I want without being informed by the system.
Maybe you can set an inotify-watch on /proc, so you only need to scan /proc/[0-9]* when a new PID is created.
I never tried to use inotify myself, but if I understand it correctly it can even tell you what has changed in /proc. Then you don't need to scan /proc/[0-9]* at all..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.