Re: Q on audit, audit-syscall

[Herbert Rosmanith]

> On Apr 5, 2006, at 08:06:30, Herbert Rosmanith wrote:
> >> On Wed, Apr 05, 2006 at 01:27:03PM +0200, Herbert Rosmanith wrote:
> >>>
> >>> good afternoon,
> >>>
> >>> I'm searching for a way to trace/intercept syscalls, both before  
> >>> and after execution. "ptrace" is not an option (you probably know  
> >>> why).
> >>
> >> Does strace do what you are asking for?
> >
> > as I said, "ptrace" is not an option.
> 
> Why not, exactly?  (No, we don't know why).

according to the man-page:

RETURN VALUES
     EPERM   The specified process [...] is already being traced.

this makes it unusable for me.

>  ptrace is _the_ Linux  mechanism to trace and intercept syscalls.
>
> There is no other way.

"there is no other way": [1,2,3,4]

regards,
h.rosmanith

[1] http://www.uniforum.chi.il.us/slides/HardeningLinux/LAuS-Design.pdf
[2] http://www.usenix.org/publications/library/proceedings/als01/full_papers/edwards/edwards.pdf
[3] http://www.citi.umich.edu/u/provos/papers/systrace.pdf
[4] http://www.nsa.gov/selinux/papers/freenix01.pdf
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/