Finding all the places a variant of close() is called
Justin McCann
jneilm+libc@gmail.com
Fri Aug 19 16:03:00 GMT 2011
For a research project, I've been working on tracking socket-related
system calls in Linux. I've been relatively successful doing library
interposition using LD_PRELOAD and intercepting socket(), close(),
bind(), accept(), connect(), listen(), etc. However, I've run into
several cases where it appears the libc close() function isn't being
called, but the file descriptor is clearly being returned to the
operating system.
I've also intercepted __close(), __res_nclose(), and __res_iclose()
since some of those appeared to be used within libc itself during DNS
lookups.
It seems that there are still some cases that I miss. Other than
taking another approach (ptrace, kernel module, etc), what other
functions should I intercept to make sure I have all the ways a
program might close a file descriptor?
Am I screwing up by not also intercepting fopen, fdopen, freopen, and fclose?
Unfortunately, strace isn't of much use here, since it catches the
syscall trap and reports close(), even though it's really some other
(hidden?) libc function at the higher layer.
My problem is basically the same as described here (sorry for the
ad-laden link):
http://forum.soft32.com/linux2/LD_PRELOAD-Sockets-ftopict13597.html
Thanks for your help,
Justin
More information about the Libc-help
mailing list