From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <finkandreas@web.de>
Received: from mout.web.de (mout.web.de [212.227.17.12])
 by sourceware.org (Postfix) with ESMTPS id 0CF3C3890401
 for <libc-help@sourceware.org>; Sun, 17 Jan 2021 07:07:35 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 0CF3C3890401
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from localhost ([213.55.224.202]) by smtp.web.de (mrweb106
 [213.165.67.124]) with ESMTPSA (Nemesis) id 1Mav2X-1lbTdl0mBX-00cObR for
 <libc-help@sourceware.org>; Sun, 17 Jan 2021 08:07:34 +0100
Date: Sun, 17 Jan 2021 08:07:32 +0100
From: Andreas Fink <finkandreas@web.de>
To: libc-help@sourceware.org
Subject: Hooking execve for an LD_PRELOAD library
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID: <1MiMEW-1lf4081KQ2-00fS4y@smtp.web.de>
X-Provags-ID: V03:K1:hfuVMYY/EmXGWObUtuZTPQv/XG67WkRVNZrEUoTOBRzxZzD+2b1
 zU/RvDU5iXKJaUlcLhSkSeIDXBvi1msWPkf7ceV9e2M5AEcL1k9c0Tl9h/vJ8PQzOaQJSkc
 eQHPJWhOb9uj/+dCWImhuF2l57fwyP4++RGMJa41e8VN67lNKbvLYPYAGEAhpIhAwZ0aD+0
 UuNmljkI65g73J9U9yZYA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:z248o0OxL2A=:rRGduL63OprHdLOguJjAjD
 lelNwjL8MV0FV+avL4VN51snmwRTBXtd+f+1PB7WjyKwrMSMLcqmSEEgETupPIrgqzQTXEJkt
 MD/6p00ze3VKNTb7lhLWVuyOw6zENtTP2dmEVi6AaKlVdnO/G2Hj6nz87J+XboGUej5O/fqT8
 HrgUUEjCbEFzIP+ZXHgxG21OZRJ+0eQZNdmPBHacFfzpN+R8EXz6Fzp84ih18TNsKUbDEIex3
 oRZYXg0aYiZlc/O8vW5qyJWYkZVH92YfVWwTOY8UiU1ijaynS0YKfzOiGuVGzP5hMIoAZESOF
 nipknApSnlnPBhoLCGcUeY2ilp0ZuU7pPoFMml6I8zulgl0Um6noee7PlBbdsEv6EtDmhEd4z
 XB0fYhqqLXvxHhkSeIDqTTP+9LRKIygEKho8j3ucxKcgKULt+TYlK8TSzfmjXA2BDGrbblQVY
 iUyl1F9vTpT7INijnmDVHNjAmkOY1ara1b124Q3L5wec3rZfFdhsR7xtixkoFbcnb4meC77sN
 Bk/VRwx6NwWCpkB8iH4nJ32qY/dhkKNnHLve3xiHha6bYwnr+To7uzmXNmO70H/io4XTYuW/Z
 wh1LgI0HQLiXlJ6Si7RtPypVhopohPXogkLrmGQiKAOpPgTxp7KmiUrjhgsjRwhd4pbWQiYfz
 NdmILwXQY3tnpjX83g9V7lBG2rvMEKo/0q/JCR1rVwJci/+thV7kwsY3A1H+zFkTb5WNqFR6u
 k88ARywRlqnUK/4llNO33TL29pa873EmTGVhzc5vrE0fgn5T55a9jpV6H1vDITP3TFCtT8b8n
 6dsvuMWMDK5O2pWqpHrTun6e9qtEtU2Pe8yME2PuR0Me8p8tNS7OCzqO1j7R4u2bZVX+wmthe
 cVvyHTXEra86vMx40kmQ==
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-help@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-help mailing list <libc-help.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-help>,
 <mailto:libc-help-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-help/>
List-Help: <mailto:libc-help-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-help>,
 <mailto:libc-help-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Jan 2021 07:07:37 -0000

Hello,
I would like to hook a call to execve, and have the code:
############### execve_override.c ######################
#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>

int (*real_execve)(const char *pathname, char *const argv[], char *const envp[])=NULL;
int execve(const char *pathname, char *const argv[], char *const envp[]) {
    if (real_execve==NULL) {
        real_execve = dlsym(RTLD_NEXT, "execve");
    }
    FILE* logfile = fopen("/tmp/execve_override.log", "a");
    fprintf(logfile, "intercepted execve for %s\n", pathname);
    fclose(logfile);
    return real_execve(pathname, argv, envp);
}
############################################################
I compiled it:
gcc -o libexecve_override.so -shared -fPIC execve_override.c -ldl

and start an executable that calls execve:
LD_PRELOAD=/path/to/libexecve_override.so my_binary_calling_execve

Up to this point everything works as expected. The call to execve is
hooked, logged in the file /tmp/execve_override.log and forwarded to
the next execve implementation.
I compiled my executable without any specific flags, i.e. a vanilla:
gcc test_exec.c

Now I would like the same for execvp to happen. Reading the man page of
execvp it is mentioned that exec-family functions are just
frontends to execve, so I replaced in my executable source code the
explicit call to execve with a call to execvp. I expected that this
would just work, as execvp would in turn call execve and this would be
caught by the hook, then logged and forwarded to the real
implementation. But to my surprise no such thing happened. execvp would
run successfully, but my hook would never be called.
Why is the hook not called, what did I miss?

Thanks for any help
Andreas