On a very constrained embedded Linux system, I wish to log all files that are opened/mapped/whatever for read and or write. In other words, all files that are accessed at least once. What would be the best approach? Because of "some" constraints, I would prefer NOT to modify/hack the file system, init scripts and the user-space level... I think that I would prefer to do things in the kernel. Even an insertion of printk in the right functions would be acceptable. If that matters, I'm using an ext3 filesystem.
Asked
Active
Viewed 869 times
1
-
You want to change kernel but not modify FS stack ? Can you clarify ? Anyway, how about intercepting FS calls in stackable file system, log and forward it to native FS. If you want to track for entire FS, mount this stackable FS on /': Check here: http://wrapfs.filesystems.org/docs/linux-stacking/index.html – bladeWalker Feb 03 '14 at 22:10
-
Correct. I want to avoid FS stack modification and I'm OK to do anything inside the kernel. – gregoiregentil Feb 03 '14 at 23:32
-
How about inotify ? If this doesn't help, maybe I didn't understand your question. http://man7.org/linux/man-pages/man7/inotify.7.html – bladeWalker Feb 04 '14 at 00:23
-
You want `auditd`, the Linux Audit daemon. http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/ – Peter Feb 04 '14 at 14:17
-
Thanks. I would really prefer to do things inside the kernel as I need to monitor tricky things that happens as soon as init kicks in. I'm ready to patch the kernel. I'm just asking what is the best place to intercept all the open fs calls. – gregoiregentil Feb 04 '14 at 17:19
1 Answers
2
Answering my own question. Patching the kernel file system driver is a working solution:
char *buf = (char*)__get_free_page(GFP_USER);
char *name = dentry_path_raw(file->f_dentry, buf, PAGE_SIZE);
printk("FILE OPEN read: %d write: %d %s\n", file->f_mode & FMODE_READ, file->f_mode & FMODE_WRITE, name);
free_page((unsigned long)buf);
gregoiregentil
- 1,793
- 1
- 26
- 56