> This sounds like an LSM, possibly with a component which communicates
> with userspace, depending on how sophisticated "verify" needs to be.
Yes, the component *should* communicate with the userspace. The
sophistication of "verify" varies from user to user. The tool will
provide a few procedures
(where afaik seccomp blocks mostly all of them), but what
I am willing to do here is not *reinvent* the wheel, I am willing to
make things a bit more configurable, where a user has access to an API
where he could write custom procedures to run on the interception side,
without having to dig th
at the syscall audit facility?
I have not. Are you talking about auditctl?
On 06/28/2017 06:19 PM, valdis.kletni...@vt.edu wrote:
> On Wed, 28 Jun 2017 17:48:15 -0300, Ben Mezger said:
>> Can the kernel keep track of all the system calls that were called by an
>> application/m
Can the kernel keep track of all the system calls that were called by an
application/module in real-time?
I know I can statically use strace, or even gdb, but I am looking for a
solution in real time when the application/module is already running and
the user has no control over it.
I am not sure
The way I do it is by compiling the kernel as I would normaly do for a
real system.
Then, after copying vmlinuz and generating my initramfs, I run Qemu:
$ qemu-system-x86_64 -kernel vmlinuz -initrd initramfs.img -append
param1=value1
For me, as I am mostly testing, there is no need for a full-fea