Re: Hooking execve for an LD_PRELOAD library

[Florian Weimer <fweimer@redhat.com>]

* Andreas Fink via Libc-help:

> Ok, if I understood you correctly this is the expected behaviour. I was
> afraid of it, but ok I can live with it.
> Assuming I want to hook the whole exec-family, it seems easy to just
> add hooks for the execv* functions while forwarding all arguments to
> the corresponding glibc implementation.

You will also have to deal with system, popen, posix_spawn,
posix_spawnp.

> Forwarding the execl* functions seems a bit more involved, as I would
> have to bend the va_list to an array, or is there some way to forward
> the arguments to the glibc function without unwrapping the va_list?

I don't think this is possible in general.  GCC has __builtin_apply and
__builtin_apply_args, but I don't know if they work with variadic
functions on all architectures.

> Kernel-based mechanism (in my case that's Linux) sounds also interesting
> as it is one level lower I guess, but honestly speaking I have no idea
> where to start to look at. Do you know of an example (not necesserily
> execve, but any system call where this is done)?

You can find examples for ptrace system call interception and emulation
on the web.  Niels Provos' systrace also has a ptrace backend, which
could serve as a source of inspiration.

> I guess glibc must do this of course, but I could not directly find
> for example the real implementation of execve.

glibc doesn't do this, not even in its test suite.  (We probably should
use this for testing obscure kernel features, but as far as I know, we
currently don't.)

Thanks,
Florian
-- 
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill