13

Sometimes, when we have to call system call in kernel system, we invoke it's helper or related kernel functions, instead do 'syscall'. I am still wondering can we call system call in kernel space? If not, what stops us doing that.

My question is a little bit weird.

liuyruc
  • 301
  • 1
  • 3
  • 10
  • No you cannot. A system call is by definition the interface between kernel and userland – Basile Starynkevitch Apr 05 '13 at 19:00
  • I knew. What we do is call the helper or other functions. I am just curious can we make it or not. – liuyruc Apr 05 '13 at 19:06
  • And a system call is probably also a scheduling point; so you don't want to call its function at arbitrary point in the kernel. In general, kernel coding is very tricky. You should explain much more what and why you want to do that.... – Basile Starynkevitch Apr 05 '13 at 19:29
  • I don't have a case that I have to or did use that. I am simply asking it is possible to do that. Sorry for making you confused. I just raise a question for curiosity... – liuyruc Apr 05 '13 at 20:04
  • There are many books on Linux kernel programming... Did you read some? – Basile Starynkevitch Apr 05 '13 at 20:11
  • I did. The reason I ask a question here is I didn't get answer from books and source code. – liuyruc Apr 05 '13 at 23:29

1 Answers1

14

Actually, contrary to popular belief (and some answers here), the answer is, yes, you can, but depending on which OS:

  • In Linux, you can call almost all system calls if you can find their kernel export (do cat /proc/kallsyms | grep sys_ for an example). There is a minor "trick" to get around a protection in most syscalls (those which accept a user mode *), by setting the data segment (KERNEL_DS). It's not exactly recommended, but certainly makes sense if you need to access files from the kernel (e.g. SELinux).

  • In Windows, most of the Nt* calls in the kernel are also available as Zw* calls - do "dumpbin /exports C:\windows\system32\ntoskrnl.exe | findstr Zw (or Nt)" for an example.

  • In Mac OS X, it technically shouldn't be allowed, though there are clever hacks to get around it.

Even though system calls are indeed the interface between user mode and the kernel, there are surprisingly quite a few cases where even production-worthy code does so -- but through careful observance of caveats.

Technologeeks
  • 7,674
  • 25
  • 36
  • 1
    However, it complains "Unknown symbol sys_socket" when I insmod. – Dangyi Liu Feb 12 '15 at 09:30
  • That could be because the symbol is GPL only. Linux is like that sometime. try the cat/grep from above, and if you do see the symbol exported (T), and still can't link to it, then it's likely that. Not all syscalls are necessarily exported. Also with sockets in particular there are other issues , but let's not complicate - try that first – Technologeeks Feb 12 '15 at 21:13
  • @Technologeeks on my Lubuntu system running 5.15.0-52 has the name as `kallsyms` instead of `kallsysms`, so I guess it is a typo in your answer, if I am not wrong... – Abhishek Ghosh Oct 26 '22 at 14:08
  • Of course. Slight typo. "kallsyms" = "kernel all symbols". Thank you – Technologeeks Oct 26 '22 at 14:10