I'm working on system call interception (for open()
system call) and I got one problem: I have two kernel modules (mod1
and mod2
) and both of them are trying to intercept open()
syscall. I've loaded mod1
first and then mod2
. The mod1
intercepted open()
by:
original_open1 = sys_call_table[__NR_open];
sys_call_table[__NR_open] = mod1_open;
Here original_open1
would be sys_open
.
After this, mod2
intercepted open()
by:
original_open2 = sys_call_table[__NR_open];
sys_call_table[__NR_open] = mod2_open;
Here, original_open2
would be mod1_open()
since mod1 was loaded first.
Now, the problem is: Suppose I unload mod1
first and open()
system call gets executed, then mod2_open()
would get called, which ultimately calls mod1_open()
.
Since mod1
is already unloaded, calling mod1_open()
would cause panic (since the function pointer is no longer a valid memory region).
I need some mechanism to avoid this problem. Basically, I want a solution which facilitates loading/unloading the modules (which intercept same syscall) in any random order without causing any panic.