Replacing System Calls in 2.6 (opinions from the kernel hackers here?)
Hey all,
So it's been a while since I posted. In what little time I've had for personal projects I've been doing a lot of reading. I'll probably get back to actual coding pretty soon (this is still part of my very long-term project to make my own distro) - and one snag I'm gonna have to solve pretty early on is replacing some system calls. It used to be nice and easy, apparently (and I got my hopes up before finding out about this change), but the system call table is no longer exported (as of 2.6).
I've been looking around, and it sounds like I have a few other options. If you have any opinions - please share! Despite all the reading, I still feel very new to this. Also, if I'm missing a good solution, please let me know.
1. There's a kernel patch that will export the table anyway, but I'd really like to avoid the idea of needing a recompiled kernel in order to actually use this part of my code. Doing this part at run-time is a big priority of mine - so I hope it's possible.
2. I've seen several algorithms for calculating the location of the call table. It's extremely hacky, and only works on x86 (not that I care about that part, really). Any opinions on this? I haven't tried it, but would that be reliable? I'm okay with hacky code as long as it's reliable! (edit: after some more searching I've found that this is NOT reliable. Some of the items used in tracking down the call table have moved, and I'm sure any future similiar algorithm would have the same vulnerability)
3. I've heard a couple of people recommend security modules for intercepting system calls, but haven't heard much about them before. Is this worth investigating further? To me it sounds the hooks just let you know when a system call is called. It doesn't actually let you override that call entirely. Am I wrong? And if so, what do you recommend for learning about them? Online information seems to be scarce in that area.
Thanks for any advice!