This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: prevent module unloading
- From: Arkady <arkady dot miasnikov at gmail dot com>
- To: Daniel Doron <danielmeirdoron at gmail dot com>
- Cc: systemtap at sourceware dot org
- Date: Wed, 18 Oct 2017 17:17:47 +0300
- Subject: Re: prevent module unloading
- Authentication-results: sourceware.org; auth=none
- References: <CAFwN=+wZ+EKbzYMxnrk_63McdiMdCA-vKn1_CAcrT30Rh1xV4w@mail.gmail.com> <CANA-60p-qAgF6zPV735gxewAEiRqLADvXCL=meU4QZeABUD-Fg@mail.gmail.com> <CAFwN=+wna9sc+qDg_Tyr4Brj7m6nZ3hf6MP=+68L17YJXfwBtg@mail.gmail.com> <CAFwN=+xn9gxPWAN1rJgOkbMy081Ozw+x8i8x+EtAHHE2jetPQg@mail.gmail.com> <CANA-60qqFF_T5jpLLj2EGDrMa_cW8wFHgjRxjNje6bm-0EUO=Q@mail.gmail.com>
Probably easier is to allow rmmod and insmod the module immediately
after that from a script.
On Wed, Oct 18, 2017 at 11:27 AM, Arkady <arkady.miasnikov@gmail.com> wrote:
> https://stackoverflow.com/questions/43003805/can-ebpf-modify-the-return-value-or-parameters-of-a-syscall/43030030
>
> On Wed, Oct 18, 2017 at 11:24 AM, Daniel Doron
> <danielmeirdoron@gmail.com> wrote:
>> Wondering, then how does the possibility of changing the $return value works?
>>
>> On Wed, Oct 18, 2017 at 11:21 AM, Daniel Doron
>> <danielmeirdoron@gmail.com> wrote:
>>> Brilliant! thanks Arkady :-)
>>>
>>> On Wed, Oct 18, 2017 at 11:20 AM, Arkady <arkady.miasnikov@gmail.com> wrote:
>>>> Modifying syscall arguments in the SystemTap probe will not impact the
>>>> system call itself.
>>>> The krpobes copies the syscall arguments to a memory space allocated
>>>> specifically for the probe.
>>>> What the SystemTap probes see is a copy of the arguments user
>>>> application provided.
>>>>
>>>> If you want to "break" a system call you need to modify internal
>>>> kernel structures or the
>>>> original syscall stack. One approach could be to change the UID in the
>>>> beginning of the rmmod
>>>> and recover the UID in the end
>>>>
>>>> On Wed, Oct 18, 2017 at 11:13 AM, Daniel Doron
>>>> <danielmeirdoron@gmail.com> wrote:
>>>>> Hi,
>>>>>
>>>>> i am interested in protecting some modules unloading via SystemTap. I
>>>>> have contemplated modifying the name_user argument but i see it is
>>>>> passed as const. So does that mean that the pointer is pointing to a
>>>>> read only memory location in which case i have no way of modifying it?
>>>>> I wanted to change it to some non-existing module name which would
>>>>> result in an error...Or maybe there is a way to cast the const away
>>>>> and modify the name....?
>>>>>
>>>>> Ideas?
>>>>>
>>>>>
>>>>> Thanks,
>>>>> -Daniel.