Process arguments
    Dave Clausen 
    dave at endlessdream.org
       
    Mon Oct 30 05:17:55 UTC 2006
    
    
  
Hello list,
I'm a n00b to the FreeBSD kernel and I'm trying to log all commands run 
on the command line from within the kernel for security purposes by 
loading a kernel module which redefines execve().  I've successfully 
created the KLD and have it working, but am having problems saving the 
command's arguments.
Could anyone point me to where in the kernel I should be looking for the 
arguments sent to the process?  p->p_args gives me the parent process's 
cmdname only (sh, in this case), and uap->argv is just the relative 
pathname of uap->fname.  Ideally, I'd like the user, full command line, 
and cwd logged for each command entered.
Here's an example of what I've been working away on:
int
new_execve (struct thread *td, struct execve_args *uap)
{
       char *user;
       struct proc *p = td->td_proc;
       user = p->p_pgrp->pg_session->s_login;
       if (p->p_ucred->cr_ruid == 1001) {
               printf("%s %d %s\n", user, p->p_pid, uap->fname);
       }
       return (execve(td,uap));
}
Running 'ls -al' with the above, I get the username, pid, and absolute 
filename printed such as, but can't find the actual arguments:
dave 6689 /bin/ls
Any help would be appreciated.
    
    
More information about the freebsd-hackers
mailing list