我正在一个项目中，我已经挂上了系统公开 call 。当用户尝试打开文件时，如果当前任务(“黑名单”的pid或tgid)有可能将文件泄漏出主机，我希望sys_open阻止该操作。

无论如何，该挂钩本身在 sys_read 和 sys_write 上都可以正常工作(我在伪函数内有一些 printk 作为指标)。

但是，当我尝试卡在sys_open函数上时，什么也没打印出来-意味着覆盖未成功。
我在覆盖前后打印了sys调用的地址，因此这可能不是问题。

我对挂钩不同功能时可能导致行为不均的原因感到困惑。

在这里输入一些信息将非常高兴。
谢谢 !

dmesg输出示例:

当钩上写-



钩开时，注意到已打印，但是这里有一些“调试”输出-



使用lubuntu vm(内核v 4.15.0.20)。

这是源代码:

#include <linux/init.h>             // Macros used to mark up functions e.g., __init __exit
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/types.h>
#include <linux/syscalls.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include <asm/page.h>
#include <linux/kallsyms.h>
#include <linux/semaphore.h>
#include <asm/cacheflush.h>
#include <linux/set_memory.h>
#include <linux/cred.h>
#include <linux/user.h>


MODULE_LICENSE("GPL");
MODULE_AUTHOR("ABC");
MODULE_VERSION("0.1");



asmlinkage long (*original_call)( char __user *filename, int flags, umode_t mode);    // for read or  write:  (unsigned int fd, char __user *buf, size_t count);
asmlinkage long my_sys_READ(unsigned int fd, char __user *buf, size_t count);
asmlinkage long my_sys_WRITE(unsigned int fd, char __user *buf, size_t count);
asmlinkage long my_sys_OPEN( char __user *filename, int flags, umode_t mode);

unsigned long* find_sys_call_table(void);
void set_page_rw( unsigned long addr);
void set_page_ro( unsigned long addr);
const struct cred *_cred = NULL ;
struct user_struct *user =NULL ;
unsigned long* sys_call_table = NULL;


void set_page_rw(unsigned long addr)
{

    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    if (pte->pte &~ _PAGE_RW) pte->pte |= _PAGE_RW;
}

void set_page_ro( unsigned long addr)
{

    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    pte->pte = pte->pte &~_PAGE_RW;
}

/*
asmlinkage long my_sys_READ(unsigned int fd, char __user *buf, size_t count)
{
    //_cred = current_cred();
    user =  get_current_user();
    if( (int)(*user).uid.val == uid )
    {
        printk(KERN_ALERT"in my read ... hacked !");
        return original_call(fd,  buf, count);
    }
    printk(KERN_ALERT"in my read ... hacked !");
    return original_call(fd,  buf, count);
}


asmlinkage long my_sys_WRITE(unsigned int fd, char __user *buf, size_t count)
{
    //_cred = current_cred();
    user =  get_current_user();
    if( (int)(*user).uid.val == uid )
    {
        printk(KERN_ALERT"in my write ... hacked !");
        return original_call(fd,  buf, count);
    }
    printk(KERN_ALERT"in my write ... hacked !");
    return original_call(fd,  buf, count);
}
*/

asmlinkage long my_sys_OPEN( char __user *filename, int flags, umode_t mode)
{

    printk(KERN_ALERT"in my open ... hacked !");
    return original_call(filename, flags, mode);

}

unsigned long* find_sys_call_table(void)
{
    return   (unsigned long *)kallsyms_lookup_name("sys_call_table");

}


int init_module()
{

    printk(KERN_ALERT "I'm dangerous. I hope you did a ");
    printk(KERN_ALERT "sync before you insmod'ed me.\n");

    sys_call_table = find_sys_call_table();
    printk(KERN_INFO"address found %p \n",sys_call_table);
    original_call = (void *)sys_call_table[__NR_open];
    set_page_rw((unsigned long)sys_call_table);

    printk(KERN_INFO"  Address before -  %p", (void *)sys_call_table[__NR_open]);
    sys_call_table[__NR_open] = (unsigned long)my_sys_OPEN;
    printk(KERN_INFO"  Address after -  %p", (void *)sys_call_table[__NR_open]);
    return 0;
}
/*
* Cleanup − unregister the appropriate file from /proc
*/
void cleanup_module()
{
    /*
    * Return the system call back to normal

    */

    if (sys_call_table[__NR_open] != (unsigned long)my_sys_OPEN) {
        printk(KERN_ALERT "Somebody else also played with the ");
        printk(KERN_ALERT "open system call\n");

    }
    printk(KERN_ALERT "BYE !!!\n");

    sys_call_table[__NR_open] = (unsigned long)original_call;
}

您的Ubuntu版本基于glibc 2.27。

glibc版本2.26 switched to implementing open with openat :

commit b41152d716ee9c5ba34495a54e64ea2b732139b5
Author: Adhemerval Zanella <[email protected]>
Date:   Fri Nov 11 15:00:03 2016 -0200

    Consolidate Linux open implementation

    This patch consolidates the open Linux syscall implementation on
    sysdeps/unix/sysv/linux/open{64}.c.  The changes are:

      1. Remove open{64} from auto-generation syscalls.list.
      2. Add a new open{64}.c implementation.  For architectures that
         define __OFF_T_MATCHES_OFF64_T the default open64 will create
         alias to required open symbols.
      3. Use __NR_openat as default syscall for open{64}.