Intercepting File System System Calls

intercepting file system system calls

As far as hooking into the kernel and intercepting system calls go, this is something I do in a security module I wrote:

https://github.com/cormander/tpe-lkm

Look at hijacks.c and symbols.c for the code; how they're used is in the hijack_syscalls function inside security.c. I haven't tried this on linux > 3.0 yet, but the same basic concept should still work.

It's a bit tricky, and you may have to write a good deal of kernel code to do the file copy before the unlink, but it's possible here.

how to intercept calls to the file systems

Using LD_PRELOAD, you can have your intercepting code run in the callee's memory space. Using a library constructor function (__attribute__((constructor))), you can have code of your choosing run when the library first starts up, e.g. mmaping your virtual filesystem and initializing it.

Then, when you intercept the calls with your preloaded library, the library's functions are running in the target process, with access to the constructed filesystem -- no need for IPC.

If the calling process must manage the filesystem, you'll incur overhead communicating to it. I'd recommend mapping the important parts of the filesystem in the child process (perhaps as a shared memory region), and instead using a listener in the child to watch for filesystem changes from the parent (with suitable locking around your filesystem operations). You can do the change notification with a simple pipe as the bandwidth requirements are lower.

Also check out Plash, a paravirtualizing system which sandboxes filesystem access by providing a modified Glibc.

How to correctly intercept system calls in the Linux kernel 5.*?

There is no correct way to do this.

LSM (Linux Security Modules) doesn't support system calls interception,
with LSMs you need the implemented some of the functions listed at lsm_hooks_defs.h.

There are two alternatives ways to intercept system calls which I'm aware of:

Hook the sys_call_table which can be obtained, and overwrite the pointers with your new function:

unsigned long *sys_call_table_ptr = kallsyms_lookup_name("sys_call_table");
unsigned long cr0 = read_cr0();
write_cr0(cr0 & ~x86_CR0_WP);
sys_call_table_ptr[__NR_getpid] = new_getpid;
write_cr0(cr0);

Using kprobe: Syscall functions name expands with the prefix __do_sys_ (see __SYSCALL_DEFINEx).
For example, kprobe on __do_sys_finit_module (or any other syscall you want) as follow:

static struct kprobe kp = {
    .symbol_name    = "__do_sys_finit_module",
};

static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
    // do your logic
    // obtain function arguments using register (calling convetion)
}

static int __init kprobe_init(void)
{
    kp.pre_handler = handler_pre;
    ret = register_kprobe(&kp);
    if (ret < 0) {
        printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
        return ret;
    }
    printk(KERN_INFO "Planted kprobe at %p\n", kp.addr);
    return 0;
}

static void __exit kprobe_exit(void)
{
    unregister_kprobe(&kp);
    printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr);
}

Is it possible to intercept stat calls on files in a Linux file system? (from userspace)

It is possible with the technique is known as function interposition.

It works for applications that you start or control the start-up environment to be able to set LD_PRELOAD environment variable.

Intercepting a system call

original_call=sys_call_table[__NR_open];
....
sys_call_table[__NR_open]=our_call;

If you're intercepting fork, the entry for open is not what you want to change.
And instead of the address of the sys_fork() from System.map, you should have used the address of sys_call_table.

how could I intercept linux sys calls?

if you really need a solution you might be interested in the DR rootkit that accomplishes just this, http://www.immunityinc.com/downloads/linux_rootkit_source.tbz2 the article about it is here http://www.theregister.co.uk/2008/09/04/linux_rootkit_released/

Intercepting File System System Calls