From: Dmitry V. L. <ld...@al...> - 2014-03-03 12:56:20
|
On Mon, Mar 03, 2014 at 10:52:48AM +0530, Zubin Mithra wrote: > >> I believe that the first step would be to document and note down the system > >> calls that belong to one or more of the above categories and their system > >> call numbers, and if the -yy flag is used, check the tcp->scno against > >> these numbers and act accordingly. > >> > >> Is there something I'm missing? I'd love any kind of feedback! > > > > You probably don't need to care about tcp->scno to implement -yy mode. > > Just a little something I'd like to clarify -- did you mean I should > use tcp->s_ent->sys_name instead? Just to make sure I'm not terribly > misunderstanding something. :) The way how strace decodes each syscall is, shortly speaking, this: 1. take a syscall number (tcp->scno); 2. filter out those syscalls that should not be decoded; 3. call the handler assigned for the syscall (tcp->s_ent->sys_func). At the point of syscall decoding where absolute paths decoding should be implemented, the syscall handler is already called, so neither tcp->scno nor tcp->s_ent->sys_func is required for decoding. Only when you are changing syscall filtering algorithms you may need to know scno/sys_func in advance. Just have a look at the code. :) -- ldv |