2
votes

I am trying to implement functionality in a linux 2.6.32.60 x86 kernel that would allow me to block all system calls based on a field I added in the task struct. This would basically be of the form:

task_struct ts;
if(ts-> added_field == 0)
    //do system call normally
else
   //don't do system call

I was wondering if I should do this directly in entry_32.S or if I would be able to modify the way the syscall table is called elsewhere. The problem with directly modifying entry_32.S is that I don't know if I can access the task struct that is making the call.

Thanks for the help!

2
Since you are customizing your kernel, why don't you choose a more recent one (e.g. 3.11)? BTW, you'll need some system call to modify the added_field .... And you might ask on kernelnewbies.org ...Basile Starynkevitch
Thanks, I do have a system call to modify added_field already. And unfortunately I am limited to a 2.6.32 kernel. And thank you for the link. I am indeed a kernel newbie, so it may be better to ask on there.Aqua Tot

2 Answers

2
votes

The kernel already has a very similar feature, called seccomp (LWN article). You may want to consider basing your feature off of this, rather than implementing something new.

2
votes

If I were to do this, I'd hook into __kernel_vsyscall() and just stop the dispatch if the task structure so indicated per your logic above.

Specifically, arch/i386/kernel/vsyscall-sysenter.S is shared among every process's address space and is the entry point through which all syscalls go. This is the spot just before the actual syscall is dispatched and, in my opinion, the place to put your hook. You are in the processes' address space, so you should have access to mm->current for your task structure. (See also arch/sh/kernel/vsyscall/vsyscall.c)