Hey all. So i'm creating a program for linux using C programming and was wondering if its possible to alter a current system call to receive an argument from a user level program. If so, is there any specific way of doing so?
Thanks all!

Hi.
Could you please provide some example of what you'd like to do.
As I understand, system calls (e.g. open, read, write) is a user-level interface to kernel, so they always recieve an argument from a user-level program. You want to pass some additional arguments? Anyway, to alter a system call you probably should alter kernel code.

I would like to block the open system call until a certain program (that i have created) is run. This open system call is only to be blocked when the user chooses a certain state.

Almost all system calls are issued by (shared) libraries that have been loaded by the applications in question. Usually there are "debug" versions of those libraries, or you can simply roll one of your own.

I would highly, highly advise against even attempting to think about modifying the open system call.

While adding a new system call that did what you want is a technical possibility, I would also highly recommend against that.

Why don't you just wait until the external condition is met in your program, and THEN call open?

If that's not an option, then perhaps you can implement a pseudo device (in the kernel) that implements its own open method, which does what you want.

Root-kit, innit?

So.. maybe i should clearly state what my intent is. I am trying to block the open system call whenever it is invoked in order to stop files within a directory from being altered (written to, deleted, moved etc.) before a backup is made.
Therefore for example:

If a user chooses option 1 in the user level program.
Then if someone writes to a file, the open system call has to be invoked.
The open system call is first blocked.
A user level program then creates a backup of that file/directory.
The open system call resumes.

If a user chooses option 2 in the user level program, then the open system call should not be blocked, no backup should be created and the user continues as usual.

> Then if someone writes to a file, the open system call has to be invoked.

Not necessarily, it may have been opened beforehand... If it really is a backup-problem, then perhaps you should remount the whole affected partition read-only before you start the backup.

I'm just curious - is there any way to do what he's suggesting (tamper with kernel code) using a kernel module?

Yes -- that's a way how a 'trojan horse' corrupts a system.

Don't want to hijack the thread, but - how exactly does it work? What exactly does inserting a kernel module DO?

When a kernel module is loaded, it becomes part of the kernel, so it can do virtually anything: for example can redirect system-calls to itself, and that way it can hide files/processes from any user-land programs, for example.

No no, I am more interested in the specifics - how exactly does a module "insert", i.e. how exactly are the capabilities of int 80h extended?

Hi Reset, you can read the manpage for the insmod(8) command to get a basic idea.

or google for "rootkit", "linux" and "kernel module"... it is rather off-topic here