My mistake.
I noticed later that ptrace is actually called just before system call,
however system call code and arguments are already read in kernel, and
are not re-read after ptrace finished. It simply does not count with
that possiblity.
------ cut here ---
if (error == 0) {
td->td_retval[0] = 0;
td->td_retval[1] = frame->tf_edx;
STOPEVENT(p, S_SCE, narg);
PTRACESTOP_SC(p, td, S_PT_SCE);<= change syscall number or args
AUDIT_SYSCALL_ENTER(code, td);
error = (*callp->sy_call)(td, args);
AUDIT_SYSCALL_EXIT(error, td);
}
-------cut here -----
I'm wondering if it would be possible to move STOPEVENT and PTRACESTOP
lines at the beginning of syscall() without creating mayhem. Or other
way to make stopping syscall execution possible.
Regards,
S.O.
signature.asc
Description: OpenPGP digital signature
