This capability aims at: find out files one application is watching on, with inotify.
The efficient solution exists in inotify_group
reverse lookup, however, there is no existing mechanism available. So, I hook both the inotify_add_watch
and inotify_rm_watch
to maintain the existing watcher list for each process.
Netlink will response to request of comm_name
from users pace in unicast (no encryption/authentication considered for now).
Here lists some applications using inotify
:
- Editors:
code
,Typora
,okular
, etc.
- https://security.stackexchange.com/questions/210897/why-is-there-a-need-to-modify-system-call-tables-in-linux
- https://stackoverflow.com/questions/2103315/linux-kernel-system-call-hooking-example
- https://stackoverflow.com/questions/11915728/getting-user-process-pid-when-writing-linux-kernel-module
- https://uwnthesis.wordpress.com/2016/12/26/basics-of-making-a-rootkit-from-syscall-to-hook/
- https://stackoverflow.com/questions/58819136/is-it-possible-to-dump-inode-information-from-the-inotify-subsystem
cargo
, cmake>=3.0.0
, linux-headers-*
inotify-hook
(kernel hook module)inotify-lookup
(user-space netlink client)inotify-lookup-py
(user-space netlink client, for debug purpose)
-
With Simple Build System:
mkdir build; cd build; sbs build ..
-
Manually build:
# build netlink client cargo build --release # build kernel hook module mkdir -p build; cd build; cmake ..; make
# firstly insert the kernel module
sudo insmod build/inotify-hook/inotify_hook.ko
# `run_test` in `inotify-lookup/src/lib.rs`
cargo test
# remove the kernel module after test
sudo rmmod inotify_hook
- Add DKMS compiling