When any special device file opening, do_dentry_open() function has been called. How to find out which process has called do_dentry_open() function?
Related
Please consider:
scripttmp=$(mktemp -d)
cleanup() {
rm -rf "${scripttmp}"
}
trap cleanup EXIT
I understand cleanup is a call(ed)back function, as it is being called just before exiting from the main function, from which it is part (I grasp the main function as a function in the general sense even though there is no function syntax around its code).
If I never actually called cleanup before --- I don't really "call it back"; I just call it before exiting, but not "back".
Is the term trap more accurate than the generic "callback" term in programming?
"Callback" comes from the fact that you give a routine a piece of code for later execution (for whenever some condition is fulfilled), and the routine "calls back" by executing that code.
Compare this with giving someone your phone number for when they need it. When they need it, they call you back. At that point, they may never have called you before. The process of "calling" is the callback.
In a shell script, trap is used to install a callback that will be evaluated when a signal is "caught" or "trapped". A standard shell also allows trapping a special event, namely when the shell exits (EXIT), and the bash shell additionally supports trapping errors (ERR), exit from a function (RETURN), and every simple command (DEBUG).
The trap utility does not allow for calling a callback function for generic asynchronous events.
In your example, cleanup could be called a callback function. It is installed with trap and will execute just before the current shell exits. In other words, the trap utility installs an EXIT trap that will call the callback function cleanup when the EXIT event is caught.
The code installed by trap action event will be executed in a manner equivalent to eval action when the given event occurs. The action could therefore be any shell code, not necessarily just a function call.
Another word for your cleanup function would be a "handler", a routine that handles something (in this case, handling the termination of the script), and possibly more specifically "an EXIT handler". If it was used to handle a caught signal, it would be "the signal handler for that particular signal". It is also common to call this function a "trap handler" (a handler installed by trap) or just "trap", although this is not "more accurate".
The term "call back" does not imply anyhow that it has to be called again (it's NOT called callagain or such).
It just means that the caller tells the callee how to notify him at some defined condition (so how to call him back then) - or which action to take at that condition (in behalf, the execution of the action goes back to the caller as the caller initiated that action through handing it over to the calle as the callback).
So the wording callback is very clear and consistent.
So for #Kusalananda example there are different possibilities.
Normally a single (or a single batch of) callback(s) is handed over to the callee (the routine, someone). It is well defined which type(s) of information(s) the callee will supply to the callback (so give it as arguments to the routine or tell it on phone to the recipient of the call). Possibly it's no information at all, just a call to the routine or a telephone call (so when the callback is defined to have no arguments or optional arguments). But anyhow normally the caller has some intention to hand the callback over to the callee, so the defined callback-routine or the one whos phone is ringing (it can also be a computer that gets the incoming call) is doing something the caller initiated when he gave that callback to the callee (so the action goes back to him, whether the target can identify the caller or not). Of course a callaback can be defined in a way that the callee that calls the callback always hands over some information to the callback-routine or to the someone answering the phone, it can be some detailed information about the condition, some information gathered by the calle in between or even a reference to the original caller.
On the other hand trap is a very specific word and not at all similiar or interchangeable with callback. It means about what the official translation/definition of the spoken word trap is. A trap is not called by the callee and is not handed over to a callee. A callee can be trapped. In Your example above the calee is just the remaining procedure following after installing the trap (up to the point where the trap is uninstalled or deactivated). A trap somehow is the opposite of a callback as the callee (or the trap insatlled by callee) traps some condition but from outside of the possible calees context.
In my kernel module I'd like to create multiple FDs, and pass them later to the user-space via ioctl.
The user-space code will use these FDs to wait for an event using poll() or select().
If I were creating such FDs in the user-space, I'd call eventfd(), but how do that in the kernel-space?
According to system call's expansion macro (#define SYSCALL_DEFINEx) in syscalls.h, maybe you can call sys_eventfd or sys_eventfd2 in the kernel-space.
I’m working with a native linux C binary which has a fairly expensive initialization call which I would like to perform once at application startup. This call should open a bunch of file handles internally for later use. When I call this expensive initialization C function from Go, it completes successfully and correctly opens the files but those handles are open only for the duration of the call to the C function! This means that when I call successive C functions against the same library from Go, the file handles are no longer open and the calls fail. I have verified this using the lsof command. Interestingly, when the initialization call as well as calls to subsequent behavior are composed into a single C function which is then called from Go, the files are opened and remain open, allowing successful completion of all desired functionality.
Is there some kind of undocumented cgo behavior which is “cleaning up”, shutting down, or even leaking file handles or other stateful resources between multiple invocations of C functions from Go? If so, is this behavior configurable? We don’t have access to the source code for this library.
Also, I've verified that this is not related to thread-local storage. Calling runtime.LockOSThread() has no effect and we've verified that the files are closed after control returns from C back to the calling Go code.
Here’s an example of the kind of Go code I’d like to write:
// Go code:
func main() {
C.Initialize()
C.do_stuff() // internal state is already cleaned up! This call fails as a result. :(
}
Here’s an example of a C function that invokes the initialization and behavior all at once. This “wrapping” function is invoked from Go:
// C code:
void DoEverything(void)
{
Initialize();
do_stuff(); // succeeds because all internal state is intact (not cleaned up).
}
Ok, this is a bit embarrassing, but I figured it out. Right after calling initialize(), I was calling defer close(), but it was actually defer fmt.Println(close()). Because arguments to deferred functions are resolved immediately (not deferred), the close function was being invoked before we could invoke any other behavior. The golang blog clearly explains argument resolution to deferred function calls.
Each Application has its memory space. In Windows, all process can use "OpenProcess" and "ReadProcessMemory/WriteProcessMemory(NtReadVirtualMemory/NtWriteVirtualMemory)" to read or write memory of application.
In System kernel, we can hook SSDT function "NtReadVirtualMemory/NtWriteVirtualMemory" to check who read and write memory of Application.
I have a question: Is there a way to check who read and write memory of Application in this application's process?
No. Not without hooking other processes/kernel (by hooking SSDT, as you've mentioned in your question). You can check which process has a handle to your application, but that doesn't necessarily mean that they've actually read/written anything.
To see which process has a handle to your process,
Call NtQuerySystemInformation with SystemHandleInformation(undocumented) for SystemInformationClass parameter, to enumerate all handles that are open on the system.
Duplicate all handles by calling DuplicateHandle with PROCESS_QUERY_INFORMATION access (if I recall correctly, this will filter out all non-process handles)
For each duplicated handle, call GetProcessId to get the process-id.
If the process-id matches with your application's process-id, then we can get the owner of the original handle by looking up the ProcessId field of the original SYSTEM_HANDLE_INFORMATION structure returned from NtQuerySystemInformation.
I understand the the ReadDirectoryChangesW Function uses a buffer to store the notifications, but what does overlap mean?
I presume there is protection to stop the notification you're reading from being over-written?
It is for asynchronous operations.
A call to ReadDirectoryChangesW can be completed synchronously or asynchronously. To specify asynchronous completion, open the directory with CreateFile as shown above, but additionally specify the FILE_FLAG_OVERLAPPED attribute in the dwFlagsAndAttributes parameter. Then specify an OVERLAPPED structure when you call ReadDirectoryChangesW.
See ReadDirectoryChangesW Function remarks sections.
this argument is for asynchronous operation.
on Windows, this is called "overlapped i/o". you can find this kind of parameter, with the same way of working, on a lot of function calls related to input/output (ReadFile, WriteFile, ...). more information about overlapped i/o can be found in the MSDN.