Muli Ben-Yehuda's journal

Amir has merged the FreeBSD port to syscalltrack HEAD. HEAD now has support for Linux, FreeBSD, NetBSD and OpenBSD! cool beans.

Yesterday, Amir implemented support for ‘fullpath()’ and ‘fdpath()’ in the filter format. This is a feature our users (all two of them ;-)) have been asking for a long time. It allows the user to match against the full path of a file, or the full path of a file descriptor. Now you can have a rule that catches every read of ‘/etc/passwd’, without catching ‘open’ first and noting the file descriptor. Of course, this is NOT SECURE, since another thread could come in and modify the syscall parameters after we check them and before the kernel acts on them, but syscalltrack is a debugging, not security, tool.

I had a nice idea today during a discussion with Amir and choo on syscalltrack-hackers, to unify the filtering and logging syntax and mechanisms. The benefits are obvious, consistent configuration syntax and less complex kernel code, because the logging format is currently parsed completely in kernel, unlike the filter format. The only disadvantage is breaking configuration file backward compatibility. I think it’s something we can still afford to do, at this stage of development. I might even take a stab at implementing it later tonight, after (during ;-)) Hamakor‘s yearly meeting. It will be a nice refresher from the weekend’s elisp hacking.