Re: prevent module unloading

[Arkady <arkady dot miasnikov at gmail dot com>]

Probably easier is to allow rmmod and insmod the module immediately
after that from a script.

On Wed, Oct 18, 2017 at 11:27 AM, Arkady <arkady.miasnikov@gmail.com> wrote:
> https://stackoverflow.com/questions/43003805/can-ebpf-modify-the-return-value-or-parameters-of-a-syscall/43030030
>
> On Wed, Oct 18, 2017 at 11:24 AM, Daniel Doron
> <danielmeirdoron@gmail.com> wrote:
>> Wondering, then how does the possibility of changing the $return value works?
>>
>> On Wed, Oct 18, 2017 at 11:21 AM, Daniel Doron
>> <danielmeirdoron@gmail.com> wrote:
>>> Brilliant! thanks Arkady :-)
>>>
>>> On Wed, Oct 18, 2017 at 11:20 AM, Arkady <arkady.miasnikov@gmail.com> wrote:
>>>> Modifying syscall arguments in the SystemTap probe will not impact the
>>>> system call itself.
>>>> The krpobes copies the syscall arguments to a memory space allocated
>>>> specifically for the probe.
>>>> What the SystemTap probes see is a copy of the arguments user
>>>> application provided.
>>>>
>>>> If you want to "break" a system call you need to modify internal
>>>> kernel structures or the
>>>> original syscall stack. One approach could be to change the UID in the
>>>> beginning of the rmmod
>>>> and recover the UID in the end
>>>>
>>>> On Wed, Oct 18, 2017 at 11:13 AM, Daniel Doron
>>>> <danielmeirdoron@gmail.com> wrote:
>>>>> Hi,
>>>>>
>>>>> i am interested in protecting some modules unloading via SystemTap. I
>>>>> have contemplated modifying the name_user argument but i see it is
>>>>> passed as const. So does that mean that the pointer is pointing to a
>>>>> read only memory location in which case i have no way of modifying it?
>>>>> I wanted to change it to some non-existing module name which would
>>>>> result in an error...Or maybe there is a way to cast the const away
>>>>> and modify the name....?
>>>>>
>>>>> Ideas?
>>>>>
>>>>>
>>>>> Thanks,
>>>>> -Daniel.