Detect process creation in Linux kernel space

Question

I'm writing a Linux module that monitors running processes, and I'd like to get notified whenever a new process is created.

I've been researching, I learned that one can read /proc/some-id to get info of processes, but inotify won't report changes to /proc because it's a virtual fs. It only provides information whenever read.

here are my findings in case someone is also trying to solve similar problems:

1. pnotify (process notification)

Link: http://lwn.net/Articles/153187/ this is the closest to what I'm trying to do, however it was posted in 2005 and didn't seem to have made into the linux distro. The idea is to have a pnotify that lives next to inotify, and provides similar support for process monitoring.

2. process connector

This solution is actually user-space. It uses PF_NETLINK to communicate with the kernel for any newly created processes.

3. scanning task_struct

Similar to 2 except this solution scans the task list in kernel for new processes using

for_each_task(task) 

proc info is written to a char device. A user-space app will poll new info by reading the char device.

TBH, my hope is still that linux has some mechanism like Windows' PsSetCreateProcessNotifyRoutine :-/

Answer 1

Implement an SE Linux Security Module and use the hooks such as .task_create which is called in the context of fork(), or one or more of the the .bprm_* hooks that are called at various points in the process of calling execv().

See here:

http://en.wikipedia.org/wiki/Linux_Security_Modules

and here:

http://selinuxproject.org/page/NB_LSM

There's an example here:

http://lxr.free-electrons.com/source/security/selinux/hooks.c

Most of what you need to do is just a pass-through, outside of the hooks that you can use as notification when fork() or execv() is called.

Just be sure to properly chain your module.