find the pwd variable of the current process that called my system call

Asked Feb 12 '20 at 11:38

Active Feb 12 '20 at 13:02

Viewed 42 times

i hooked the sys_execve because i need to build simple monitor that prints when files executes ,but the problem is when someone run a program like this

./exefilename

it prints in the log file only the name of the file and not the full path, also in this case my monitor will print

./exefilename

instead of the full path name so i was wondering if there is any way to find what the pwd of the bash hat called the execve system call? . this is my code of the monitor

static asmlinkage long our_execl(const char __user * filename,
            const char __user * const __user * argv,
            const char __user * const __user * envp) {

   strncpy_from_user(buf, filename, 255);
    buf[255] = '\0';

    printk("%s\n",buff);
    return_orginal(filename,argv,envp)//call the real sys_execve

edited Feb 12 '20 at 13:02

Paul

asked Feb 12 '20 at 11:38

Daniel Haish

does this https://stackoverflow.com/questions/143174/how-do-i-get-the-directory-that-a-program-is-running-from help? – Paul Feb 12 '20 at 12:03
See https://elixir.bootlin.com/linux/v5.6-rc1/source/fs/proc/base.c#L185 – Ctx Feb 12 '20 at 12:35

find the pwd variable of the current process that called my system call

0 Answers0