LinuxQuestions.org - how to intercept all the system call

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - how to intercept all the system call (https://www.linuxquestions.org/questions/programming-9/how-to-intercept-all-the-system-call-247810/)

how to intercept all the system call

Now i want to intercept all the system call (in linux2.4 or above),and i want to implement it in LSM.Maybe i can modify the pointer of the sys_call_table to implement it .but it is not the best solution i think .i mean i can mediate all the system calls and get all information about them before they actually occur.i know little about the LSM hook functions.thanks

Hya there,

This could give you a hint.

http://uberhip.com/godber/intercepti.../slide_13.html

Have phun,

thanks,but......

At first ,i am very thank anacOndazz for your reply.but i think i havenot express my idea clearly.indeed that is a good idea to implement it .But i need a unique entry to intercept all the system call ,not like that one by one .I mean to intercept it just before entry a system call really.(just before the occur of sys_*).say it detailly in code (entry.S):
ENTRY(system_call)
pushl %eax
SAVE_ALL
GET_CURRENT(%ebx)
cmpl $(NR_syscalls),%eax
jae badsys
testb $0x02 ,tsk ptrace(%ebx)
jne tracesys

(i wish i can at this point to intercept it and pause it ,i seems to be creat difficult to you)
call *SYMBOL_NAME(sys_call_table)(,%eax,4)
movel %eax,EAX(%esp)
ENTRY(ret_from_sys_call)

in a word ,i want to pause a system call just after it has saved all the information in registers about the system call ,and before the occur of "call *SYMBOL_NAME(sys_call-table)(,%eax,4)",but i donnot want to recomplied the kernel. (it is impossible it seems like)