intercepting file system system calls
As far as hooking into the kernel and intercepting system calls go, this is something I do in a security module I wrote:
https://github.com/cormander/tpe-lkm
Look at hijacks.c and symbols.c for the code; how they're used is in the hijack_syscalls function inside security.c. I haven't tried this on linux > 3.0 yet, but the same basic concept should still work.
It's a bit tricky, and you may have to write a good deal of kernel code to do the file copy before the unlink, but it's possible here.
Android file system hooks
You can use the FileObserver class:
"Monitors files (using inotify) to fire an event after files are accessed or changed by by any process on the device (including this one). FileObserver is an abstract class; subclasses must implement the event handler onEvent(int, String)."
http://developer.android.com/reference/android/os/FileObserver.html
Hooking sys_send
After some more hours of searching, I finally found that sys_send is defined in Linux/net/socket.c through the macro
SYSCALL_DEFINE4(send, int, fd, void __user *, buff, size_t, len,
unsigned int, flags)
{
return sys_sendto(fd, buff, len, flags, NULL, 0);
}
It is then possible to simply hook sys_sendto using __NR_sendto and check for the NULL argument to know if the call was originally send or sendto.
Where does the do_generic_file_read() function sleep in case page is not found in inode's cache?
The do_mpage_readpage function creates bio structure to get the data from the disk blocks and submits them for io.
do_mpage_readpage
..
mpage_bio_submit(READ, bio)
..
When the bio is submitted, the control returns to the do_generic_file_read() function and then the lock_page_killable() function is called which waits on the uptodate bit of the page.
do_generic_file_read()
...
if (!PageUptodate(page)) {
error = lock_page_killable(page); <<<<<<<< it sleeps here
...
Once the io is completed from the device, the mpage_end_io() is called as the return handler.(As we have filled bio->bi_end_io = mpage_end_io while submitting the IO). In case of a read, this marks the pages for which the bio was sent as Uptodate and the unlock_page() function is called. This function wakes up the control which was waiting for the page to get uptodated.
mpage_end_io
...
unlock_page(page); <<< this wakes up the waiting do_generic_file_read
...
Related Topics
Packet Mangling Utilities Besides Iptables
Using Assertion in the Linux Kernel
How to Create a File in Linux from Terminal Window
Count Occurrences of a Char in Plain Text File
One Command to Create a Directory and File Inside It Linux Command
Linux Shared Library That Uses a Shared Library Undefined Symbol
Glibc: Elf File Os Abi Invalid
Linux Zip Command: Add a File with Different Name
Read a Single Sector from a Disk
Anyway Change the Cursor "Vertical Line" Instead of a Box
Convert Utf8 to Utf16 Using Iconv
How to Convert Spaces to Tabs in Vim or Linux
Read Line by Line in Bash Script
How to Get the Last Word in Each Line with Bash
Detecting Keyboard, Mouse Activity in Linux
Simulate a Faulty Block Device with Read Errors
Strange Behaviour of Git: Mysterious Changes Cannot Be Undone