syscall_intercept
syscall_intercept copied to clipboard
pmem
example.c does not work
I try to intercept a few syscalls. And I decided to run example.c listed inside README to see if it works.
#include <libsyscall_intercept_hook_point.h>
#include <syscall.h>
#include <errno.h>
static int
hook(long syscall_number,
long arg0, long arg1,
long arg2, long arg3,
long arg4, long arg5,
long *result)
{
if (syscall_number == SYS_getdents) {
/*
* Prevent the application from
* using the getdents syscall. From
* the point of view of the calling
* process, it is as if the kernel
* would return the ENOTSUP error
* code from the syscall.
*/
*result = -ENOTSUP;
return 0;
} else {
/*
* Ignore any other syscalls
* i.e.: pass them on to the kernel
* as would normally happen.
*/
return 1;
}
}
static __attribute__((constructor)) void
init(void)
{
// Set up the callback function
intercept_hook_point = hook;
}
$ cc example.c -lsyscall_intercept -fpic -shared -o example.so
$ LD_LIBRARY_PATH=. LD_PRELOAD=example.so ls
However, ls works. It shows everything under the current directory.
I am using Ubuntu 22.04.2 LTS.
Could anyone help me with that?
And I tried to print the syscall number, and it shows that only syscall number 231 been called. It's SYS_exit_group.
Anyone knows what's going on?
@mycastiel Hi, I face the same problem. It turns out ls does not involve getdents() syscall but rather the getdents64(), see runningstrace on ls:
...
getdents64(3, /* 162 entries */, 32768) = 7472
getdents64(3, /* 0 entries */, 32768) = 0
...
So if you change the SYS_getdents to SYS_getdents64 in the example, then it will perfectly intercept.
cc@uc-inst-1:~/syscall_intercept/test$ LD_LIBRARY_PATH=. LD_PRELOAD=example.so ls
ls: reading directory '.': Operation not supported
