This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: prevent module unloading
- From: Arkady <arkady dot miasnikov at gmail dot com>
- To: Daniel Doron <danielmeirdoron at gmail dot com>
- Cc: systemtap at sourceware dot org
- Date: Wed, 18 Oct 2017 11:20:01 +0300
- Subject: Re: prevent module unloading
- Authentication-results: sourceware.org; auth=none
- References: <CAFwN=+wZ+EKbzYMxnrk_63McdiMdCA-vKn1_CAcrT30Rh1xV4w@mail.gmail.com>
Modifying syscall arguments in the SystemTap probe will not impact the
system call itself.
The krpobes copies the syscall arguments to a memory space allocated
specifically for the probe.
What the SystemTap probes see is a copy of the arguments user
application provided.
If you want to "break" a system call you need to modify internal
kernel structures or the
original syscall stack. One approach could be to change the UID in the
beginning of the rmmod
and recover the UID in the end
On Wed, Oct 18, 2017 at 11:13 AM, Daniel Doron
<danielmeirdoron@gmail.com> wrote:
> Hi,
>
> i am interested in protecting some modules unloading via SystemTap. I
> have contemplated modifying the name_user argument but i see it is
> passed as const. So does that mean that the pointer is pointing to a
> read only memory location in which case i have no way of modifying it?
> I wanted to change it to some non-existing module name which would
> result in an error...Or maybe there is a way to cast the const away
> and modify the name....?
>
> Ideas?
>
>
> Thanks,
> -Daniel.