How to listen to new plugs in the core

Question

How to listen to new plugs in the core

Kernel: 3.4+

Does anyone know of another way to use the kernel process event connector to “listen” for new forks.

I want to be simply notified in the module every time a new task (process) is created.

+8

c linux linux-kernel fork linux-device-driver

Daniel Meir Doron Jun 03 '15 at 14:18

source share

3 answers

borisp · Answer 1 · 2015-06-10T10:15:25+0000

You can try using LSM hook to do this. The function you want to implement is security_task_create

pavan · Answer 2 · 2015-06-10T17:14:56+0000

I do not know about the state of SystemTap, but I think that you can trace the border of a function, for example, DTrace on Solaris, using SystemTap. You will need to know what function of the Linux kernel can be traced, but this is the simpler part that I assume.

borisp · Answer 3 · 2015-06-23T14:08:21+0000

There are several possible hacks that you could use to solve this problem.

You can connect the corresponding table in the syscall table, replace sys_fork with your code, and call the original sys_fork.

Otherwise, you can enable sys_fork.

How to listen to new plugs in the core

More articles: