Can we call system call in kernel space?

2020-02-06 07:24发布

问题:

Sometimes, when we have to call system call in kernel system, we invoke it's helper or related kernel functions, instead do 'syscall'. I am still wondering can we call system call in kernel space? If not, what stops us doing that.

My question is a little bit weird.

回答1:

Actually, contrary to popular belief (and some answers here), the answer is, yes, you can, but depending on which OS:

  • In Linux, you can call almost all system calls if you can find their kernel export (do cat /proc/kallsysms | grep sys_ for an example). There is a minor "trick" to get around a protection in most syscalls (those which accept a user mode *), by setting the data segment (KERNEL_DS). It's not exactly recommended, but certainly makes sense if you need to access files from the kernel (e.g. SELinux).

  • In Windows, most of the Nt* calls in the kernel are also available as Zw* calls - do "dumpbin /exports C:\windows\system32\ntoskrnl.exe | findstr Zw (or Nt)" for an example.

  • In Mac OS X, it technically shouldn't be allowed, though there are clever hacks to get around it.

Even though system calls are indeed the interface between user mode and the kernel, there are surprisingly quite a few cases where even production-worthy code does so -- but through careful observance of caveats.