system call interposition using LD_PRELOAD

Carlos O'Donell
Fri Mar 30 02:44:00 GMT 2012

On Thu, Mar 29, 2012 at 10:25 PM, Godmar Back <> wrote:
> a student of mine is working on a project that requires system call
> interposition. In the old days, this could be accomplished using a
> LD_PRELOAD library that would redefine the system call entry points.

I don't know that it has *ever* been possible to use ELF symbol
interposition to intercept all system calls made by glibc.

> He tells me that for several years now, this is no longer possible with GNU
> libc because functions such as fopen() do not dynamically link against the
> stubs, but rather a local PLT is used. He also claims some system call
> sequences are even inlined in parts of the libc code.

This is all true.

> He is now considering changing libc, but finds that its design does not lend
> itself easily to doing that.

That depends on your level of experience, but yes it's not currently
easy to intercept all system calls.

> If this is true, what is the new state of the practice with respect to
> system call interposition?

On Linux you would use the ptrace API to catch the system call on the
kernel side using PTRACE_SYSCALL. On the kernel side there is a well
defined syscall entry and exit process.

> I would like to hear other's experience/tips/recommendations. Thank you.

For many reasons it's impractical to arrange the C library to be the
point of interception of the syscall, thus there is no good mechanism
for interception.

Good luck to your student and good luck with your work.


More information about the Libc-help mailing list