On Tue, Aug 31, 2004 at 08:15:56PM +0300, Anatoly Vorobey wrote: > [nitpicking follows]
[nitpickers are us] > I'm not suggesting replacing the file (impossible in /proc w/o changing > the kernel or the mounting), I'm suggesting replacing the > *descriptor*. I'm not suggesting replacing the file either - I'm suggesting opening the original file (/proc/.../whatever), but keeping track of its fd, and in subsequent calls to read, return your own data rather than data from the file. In some cases (although not the specific one we're talking about), simply replacing the descriptor is not enough, because the file being read has some special properties that your "replacement file" cannot easily emulate. Think ioctl then read on a special device file, or terminal ioctls on /dev/tty. Either you provide these functions, or you let them occur on the "real" fd and intervene elsewhere, or things stop working. > and will just happily read it all and then close it - you won't have to > monitor those calls. That makes the whole process much simpler and > easier to code. Agreed, in this specific case. I was thinking ps/top might be doing something funky with the /proc/$PID/* files they read, but it looks like a very simple open/read/close, e.g.: open("/proc/6/cmdline", O_RDONLY) = 8 read(8, "", 2047) = 0 close(8) So yeah, hooking only open in LD_PRELOAD could work. Cheers, Muli -- Muli Ben-Yehuda http://www.mulix.org | http://mulix.livejournal.com/
signature.asc
Description: Digital signature